[Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) |
-| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see: - [Windows Autopatch groups experience](windows-autopatch-groups-windows-feature-update-overview.md)
- [Classic experience](windows-autopatch-windows-feature-update-overview.md)
|
+| Windows quality update | Windows Autopatch uses four deployment rings to manage [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) |
+| Windows feature update | Windows Autopatch uses four deployment rings to manage [Windows feature updates](windows-autopatch-groups-windows-feature-update-overview.md) |
| Anti-virus definition | Updated with each scan. |
-| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). This software update workload uses the classic experience. |
-| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). This software update workload uses the classic experience. |
-| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). This software update workload uses the classic experience. |
+| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
+| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
+| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
## Autopatch groups
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
index 698bdc24c9..58625ecd75 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
---
-title: Windows feature updates overview with Autopatch groups
+title: Windows feature updates overview
description: This article explains how Windows feature updates are managed with Autopatch groups
-ms.date: 05/03/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows feature updates overview: Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows feature updates overview
Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
index 17cb7aa33c..da80289277 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@@ -1,7 +1,7 @@
---
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Feature update status report (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Feature update status report
The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
@@ -62,6 +59,10 @@ The following information is available as optional columns in the Feature update
| User Last Logged On | The last user who logged on as reported from Intune |
| Primary User UPN | The Primary User UPN as reported from Intune |
| Hex Error Code | The hex error provided from Windows Update |
+| Feature Update Installed Time | The time the update was installed as reported from Windows Update |
+| Servicing Channel | The Client Servicing Channel as defined in Windows Update |
+| Phase | The phase as indicated from the Feature Update Release Scheduled |
+| Release | The release the devices are associated with |
> [!NOTE]
> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
index 95c7c23f50..37d261d766 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@@ -1,7 +1,7 @@
---
title: Windows feature update summary dashboard
description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows feature update summary dashboard (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows feature update summary dashboard
The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
index d7be7a1540..fba33aa57e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
@@ -1,7 +1,7 @@
---
title: Feature update trending report
description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,17 +15,14 @@ ms.collection:
- tier1
---
-# Feature update trending report (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Feature update trending report
Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
**To view the Feature update trending report:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (public preview)**.
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates**.
1. Select the **Reports** tab.
1. Select **Feature update trending**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
index 78da3612ba..530e401066 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
@@ -1,7 +1,7 @@
---
-title: Windows quality and feature update reports overview with Windows Autopatch Groups experience
+title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows quality and feature update reports overview
## Windows quality reports
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
index de3076eac4..07094d7204 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
@@ -1,7 +1,7 @@
---
title: Windows quality update communications for Autopatch groups
description: This article explains Windows quality update communications for Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -15,11 +15,7 @@ ms.collection:
- tier1
---
-# Windows quality update communications: Windows Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
-
+# Windows quality update communications
There are three categories of communication that are sent out during a Windows quality and feature update:
@@ -45,9 +41,6 @@ Communications are posted to, as appropriate for the type of communication, to t
### Opt out of receiving emails for standard communications
-> [!IMPORTANT]
-> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
-
If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
**To opt out of receiving emails for standard communications:**
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
index b62341e010..3459608d52 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
@@ -1,7 +1,7 @@
---
title: Windows quality update end user experience for Autopatch groups
description: This article explains the Windows quality update end user experience using the Autopatch groups exp
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows quality update end user experience: Windows Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows quality update end user experience
## User notifications
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 49540bdcf0..57b9aa5aad 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates overview with Autopatch groups experience
description: This article explains how Windows quality updates are managed with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows quality updates: Windows Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows quality updates
Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
index db5749bf16..aa8e2f4e82 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
@@ -1,7 +1,7 @@
---
title: Windows quality update release signals with Autopatch groups
description: This article explains the Windows quality update release signals with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows quality update signals: Windows Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows quality update signals
Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
index 95503c7a43..703ee03554 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@@ -1,7 +1,7 @@
---
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Quality update status report (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Quality update status report
The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
@@ -65,6 +62,9 @@ The following information is available as optional columns in the Quality update
| User Last Logged On | The last user who logged on as reported from Intune |
| Primary User UPN | The Primary User UPN as reported from Intune |
| Hex Error Code | The hex error provided from Windows Update |
+| Cadence Type | The cadence type configured in the quality update ring schedule |
+| Quality update Installed Time | The time the update was installed as reported from Windows Update |
+| Servicing Channel | The Client Servicing Channel as defined in Windows Update |
> [!NOTE]
> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
index 0b114fc081..154e93fb08 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@@ -1,7 +1,7 @@
---
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Windows quality update summary dashboard (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Windows quality update summary dashboard
The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index 263cf79726..e68ee4d6bd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Quality update trending report (public preview)
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Quality update trending report
The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
index 0158ab6b84..9f63be7938 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
@@ -1,7 +1,7 @@
---
title: Customize Windows Update settings Autopatch groups experience
description: How to customize Windows Updates with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,13 +15,7 @@ ms.collection:
- tier1
---
-# Customize Windows Update settings: Autopatch groups experience (public preview)
-
-> [!IMPORTANT]
-> This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback.
-
-> [!IMPORTANT]
-> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+# Customize Windows Update settings
You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. This capability is allowed for both [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) and [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups). However, we recommend that you remain within service defined boundaries to maintain compliance.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
index 9e4d0728c3..e0298e93f1 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -55,7 +55,7 @@ The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad d
| Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays |
| ----- | ----- | ----- | ----- | ----- |
-| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update policy [Test/First/Fast/Broad] | Driver Update Policy for device Test/First/Fast/Broad group | Automatic | `0` |
+| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [Test/First/Fast/Broad] | Driver Update Policy for device Test/First/Fast/Broad group | Automatic | `0` |
> [!NOTE]
> In public preview, the DeploymentDeferralInDays setting is set to `0` for all deployment rings.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
index 6e004039fb..d998b1df2c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
@@ -1,7 +1,7 @@
---
title: policy health and remediation
description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
-ms.date: 05/01/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -15,10 +15,7 @@ ms.collection:
- tier1
---
-# Policy health and remediation (public preview)
-
-> [!IMPORTANT]
-> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
+# Policy health and remediation
Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service.
@@ -61,7 +58,7 @@ The minimum role required to restore configurations is **Intune Service Administ
There will be an alert for each policy that is missing or has deviated from the service defined values.
-## Restore Windows update policies
+## Restore Windows Update policies
**To initiate remediation actions for Windows quality update policies:**
@@ -83,19 +80,14 @@ There will be an alert for each policy that is missing or has deviated from the
## Restore deployment groups
-**To initiate remediation action for missing groups:**
+Windows Autopatch will automatically restore any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups.
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Tenant administration** > **Tenant management** > **Actions**.
-1. Select **Restore missing group** to launch the workflow.
-1. Review the message and select **Restore group**.
+If policies are misconfigured or unassigned, admins must restore them. In the Release management blade, the service will raise a Policy error workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade.
-When a missing deployment group is restored, the policies will be reassigned back to the deployment groups. In the Release management blade, the service will raise a Policy Error that you'll need to complete to repair Windows Update policies. Due to the asynchronous run of service detectors, it may take up to four (4) hours for this error to be displayed.
+Due to the asynchronous run of service detectors, it might take up to four (4) hours for this error to be displayed.
> [!NOTE]
-> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.Alerts will remain active until an IT admin completes the action to restore them to a healthy state.
-
-There are no Autopatch reports for policy alerts and actions at this time.
+> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.Alerts will remain active until an IT admin completes the action to restore them to a healthy state.
There are no Autopatch reports for policy alerts and actions at this time.
## Use audit logs to track actions in Microsoft Intune
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
deleted file mode 100644
index ab0e071954..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Software update management
-description: This article provides an overview of how updates are handled in Autopatch
-ms.date: 08/08/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: overview
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: andredm7
-ms.collection:
- - highpri
- - tier1
----
-
-# Software update management
-
-Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf.
-
-## Software update workloads
-
-| Software update workload | Description |
-| ----- | ----- |
-| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md). |
-| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-windows-feature-update-overview.md).
-| Anti-virus definition | Updated with each scan. |
-| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
-| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
-| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
-
-## Windows Autopatch deployment rings
-
-During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings:
-
-| Ring | Description |
-| ----- | ----- |
-| **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.|
-| **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.|
-| **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. |
-| **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. |
-
-Each deployment ring has a different set of update deployment policies to control the updates rollout.
-
-> [!WARNING]
-> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
-
-> [!IMPORTANT]
-> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
-
-Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment.
-
-> [!NOTE]
-> You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service.
-
-### Deployment ring calculation logic
-
-The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows:
-
-- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**.
-- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**.
-
-| Deployment ring | Default device balancing percentage | Description |
-| ----- | ----- | ----- |
-| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
- **0–500** devices: minimum **one** device.
- **500–5000** devices: minimum **five** devices.
- **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
-| First | **1%** | The First ring is the first group of production users to receive a change.This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
-| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
|
-| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.|
-
-## Moving devices in between deployment rings
-
-If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab.
-
-**To move devices in between deployment rings:**
-
-1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
-2. In the **Windows Autopatch** section, select **Devices**.
-3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
-4. Select **Device actions** from the menu.
-5. Select **Assign device to ring**. A fly-in opens.
-6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**.
-
-When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment.
-
-> [!NOTE]
-> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
-
-> [!WARNING]
-> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
-
-## Automated deployment ring remediation functions
-
-Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
-
-- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
-- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
-
-There are two automated deployment ring remediation functions:
-
-| Function | Description |
-| ----- | ----- |
-| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). |
-| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.|
-
-> [!IMPORTANT]
-> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
deleted file mode 100644
index 8d7c6c6f7f..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Windows feature update end user experience
-description: This article explains the Windows feature update end user experience
-ms.date: 07/11/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: conceptual
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: hathind
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows feature update end user experience
-
-Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours.
-
-## User notifications
-
-In this section we'll review what an end user would see in the following three scenarios:
-
-1. Typical update experience
-2. Feature update deadline forces an update
-3. Feature update grace period
-
-> [!NOTE]
-> Windows Autopatch doesn't yet support feature updates without notifying end users.
The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.
-
-### Typical update experience
-
-In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
-
-1. Restart immediately to install the updates.
-2. Schedule the installation.
-3. Snooze (the device will attempt to install outside of active hours).
-
-In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
-
-:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png":::
-
-### Feature update deadline forces an update
-
-The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours.
-
-The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
-
-:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png":::
-
-### Feature update grace period
-
-In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
-
-The grace period to install the update and restart depends on the deployment ring the device is assigned to:
-
-| Deployment ring | Grace period (in days) |
-| ----- | ----- |
-| Test | Zero days |
-| First | Two days |
-| Fast | Two days |
-| Broad | Two days |
-
-The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification.
-
-:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png":::
-
-## Servicing window
-
-Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
-
-| Policy | Description |
-| ----- | ----- |
-| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
-| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
-
-> [!IMPORTANT]
-> Both policies must be deployed for them to work as expected.
-
-A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
-
-> [!IMPORTANT]
-> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management: - [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
deleted file mode 100644
index 1ffb5c25f5..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: Windows feature updates
-description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 05/02/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: conceptual
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: andredm7
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows feature updates
-
-Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
-
-Windows feature updates consist of:
-
-- Keeping Windows devices protected against behavioral issues.
-- Providing new features to boost end-user productivity.
-
-Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
-
-## Enforcing a minimum Windows OS version
-
-Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
-
-The policies:
-
-- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**.
-- Set a bare minimum Windows OS version required by the service once devices are registered with the service.
-
-If a device is registered with Windows Autopatch, and the device is:
-
-- Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria.
-- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
-
-> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
-
-## Windows feature update policy configuration
-
-If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal:
-
-| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
-| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch – DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM |
-| Windows Autopatch – DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM |
-| Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM |
-| Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM |
-
-> [!IMPORTANT]
-> If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy).
-
-> [!NOTE]
-> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:- **Modern Workplace DSS Policy [Test]**
- **Modern Workplace DSS Policy [First]**
- **Modern Workplace DSS Policy [Fast]**
- **Modern Workplace DSS Policy [Broad]**
Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.
-
-## Test Windows 11 feature updates
-
-You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows:
-
-| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
-| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM |
-
-> [!IMPORTANT]
-> Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.
-
-## Manage Windows feature update deployments
-
-Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release).
-
-Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it.
-
-## Release management
-
-> [!NOTE]
-> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
-
-### Pausing and resuming a release
-
-> [!CAUTION]
-> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
-
-> [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
-**To pause or resume a Windows feature update:**
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Devices** from the left navigation menu.
-3. Under the **Windows Autopatch** section, select **Release management**.
-4. In the **Release management** blade, select either: **Pause** or **Resume**.
-5. Select the update type you would like to pause or resume.
-6. Select a reason from the dropdown menu.
-7. Optional. Enter details about why you're pausing or resuming the selected update.
-8. If you're resuming an update, you can select one or more deployment rings.
-9. Select **Okay**.
-
-If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update.
-
-> [!NOTE]
-> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
-
-## Rollback
-
-Windows Autopatch doesn’t support the rollback of Windows feature updates.
-
-> [!CAUTION]
-> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
-
-## Contact support
-
-If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
deleted file mode 100644
index 4ed33aeb7b..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: All devices report—historical
-description: Provides a visual representation of the update status trend for all devices over the last 90 days.
-ms.date: 12/01/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: adnich
-ms.collection:
- - highpri
- - tier1
----
-
-# All devices report—historical
-
-The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days.
-
-**To view the historical All devices report:**
-
-1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
-1. Select the **Reports** tab.
-1. Select **All devices report—historical**.
-
-:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png":::
-
-> [!NOTE]
-> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
-
-## Report options
-
-The following options are available:
-
-| Option | Description |
-| ----- | ----- |
-| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
-| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
-
-For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
deleted file mode 100644
index 0b3850461e..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: All devices report
-description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
-ms.date: 12/01/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: adnich
-ms.collection:
- - highpri
- - tier1
----
-
-# All devices report
-
-The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
-
-**To view the All devices report:**
-
-1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
-1. Select the **Reports** tab.
-1. Select **All devices report**.
-
-:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png":::
-
-> [!NOTE]
-> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
-
-## Report information
-
-The following information is available in the All devices report:
-
-| Column name | Description |
-| ----- | ----- |
-| Device name | The name of the device. |
-| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. |
-| Serial number | The current Intune recorded serial number for the device. |
-| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
-| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)). |
-| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)) |
-| OS version | The current version of Windows installed on the device. |
-| OS revision | The current revision of Windows installed on the device. |
-| Intune last check in time | The last time the device checked in to Intune. |
-
-## Report options
-
-The following options are available:
-
-| Option | Description |
-| ----- | ----- |
-| Search | Use to search by device name, Azure AD device ID or serial number |
-| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
-| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
-| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
deleted file mode 100644
index a78cbd870b..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Windows quality update communications
-description: This article explains Windows quality update communications
-ms.date: 03/30/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: conceptual
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: hathind
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows quality update communications
-
-There are three categories of communication that are sent out during a Windows quality and feature update:
-
-- [Standard communications](#standard-communications)
-- [Communications during release](#communications-during-release)
-- [Incident communications](#incident-communications)
-
-Communications are posted to, as appropriate for the type of communication, to the:
-
-- Message center
-- Service health dashboard
-- Windows Autopatch messages section of the Microsoft Intune admin center
-
-:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
-
-## Standard communications
-
-| Communication | Location | Timing | Description |
-| ----- | ----- | ----- | ----- |
-| Release schedule | - Messages blade
- Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)
| At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
-| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. |
-| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. |
-
-### Opt out of receiving emails for standard communications
-
-> [!IMPORTANT]
-> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
-
-If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
-
-**To opt out of receiving emails for standard communications:**
-
-1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**.
-2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**.
-3. Select the admin contact you want to opt out for.
-4. Select **Edit Contact**.
-5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane.
-6. Select **Save** to apply the changes.
-
-## Communications during release
-
-The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
-
-There are some circumstances where Autopatch will need to change the release schedule based on new information.
-
-For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information.
-
-## Incident communications
-
-Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
deleted file mode 100644
index e0b0cbe8a7..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Eligible devices report—historical
-description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
-ms.date: 12/01/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: adnich
-ms.collection:
- - highpri
- - tier1
----
-
-# Eligible devices report—historical
-
-The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
-
-**To view the historical Eligible devices report:**
-
-1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
-1. Select the **Reports** tab.
-1. Select **Eligible devices report—historical**.
-
-:::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png":::
-
-> [!NOTE]
-> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
-
-## Report options
-
-The following options are available:
-
-| Option | Description |
-| ----- | ----- |
-| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
-| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
-
-For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
deleted file mode 100644
index ed6b572591..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Windows quality update end user experience
-description: This article explains the Windows quality update end user experience
-ms.date: 05/30/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: conceptual
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: hathind
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows quality update end user experience
-
-Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours.
-
-## User notifications
-
-In this section we'll review what an end user would see in the following three scenarios:
-
-1. Typical update experience
-2. Quality update deadline forces an update
-3. Quality update grace period
-
-> [!NOTE]
-> The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.
-
-### Typical update experience
-
-The Windows 10 quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update.
-
-Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either:
-
-- Restart immediately to install the updates
-- Schedule the installation, or
-- Snooze (the device will attempt to install outside of [active hours](#servicing-window).
-
-In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
-
-:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png":::
-
-### Quality update deadline forces an update
-
-In the following example, the user:
-
-- Ignores the notification and selects snooze.
-- Further notifications are received, which the user ignores.
-- The device is unable to install the updates outside of active hours.
-
-The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
-
-:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png":::
-
-### Quality update grace period
-
-In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on.
-
-Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
-
-:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png":::
-
-## Servicing window
-
-Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
-
-| Policy | Description |
-| ----- | ----- |
-| [Active hours start](/windows/client-management/mdm/policy-csp-update#activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
-| [Active hours end](/windows/client-management/mdm/policy-csp-update#activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
-
-> [!IMPORTANT]
-> Both policies must be deployed for them to work as expected.
-
-A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
-
-> [!IMPORTANT]
-> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Selecting specific dates to update devices would disrupt the rollout schedule, and prevent Windows Autopatch from delivering the [service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective). The use of any of the following CSPs on a managed device will render it ineligible for the service level objective:- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstalleveryweek)
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfirstweek)
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfourthweek)
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallsecondweek)
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
deleted file mode 100644
index 57d6dc58ab..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Ineligible devices report—historical
-description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
-ms.date: 12/01/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: adnich
-ms.collection:
- - highpri
- - tier1
----
-
-# Ineligible devices report—historical
-
-The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
-
-> [!NOTE]
-> Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month.
-
-**To view the historical Ineligible devices report:**
-
-1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
-1. Select the **Reports** tab.
-1. Select **Ineligible devices report—historical**.
-
-:::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png":::
-
-> [!NOTE]
-> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
-
-## Report options
-
-The following options are available:
-
-| Option | Description |
-| ----- | ----- |
-| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
-| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
-
-For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
deleted file mode 100644
index da8c85bcff..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-title: Windows quality updates
-description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 05/02/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: conceptual
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: andredm7
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows quality updates
-
-## Service level objective
-
-Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release.
-
-## Device eligibility
-
-For a device to be eligible for Windows quality updates as a part of Windows Autopatch they must meet the following criteria:
-
-| Criteria | Description |
-| ----- | ----- |
-| Activity | Devices must have at least six hours of usage, with at least two hours being continuous. |
-| Intune sync | Devices must have checked with Intune within the last five days. |
-| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
-| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
-| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
-| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
-| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
-| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
-
-> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
-
-## Windows quality update releases
-
-Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
-
-To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
-
-| Policy | Description |
-| ----- | ----- |
-| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. |
-| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
-| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
-
-> [!IMPORTANT]
-> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
-
-Windows Autopatch configures these policies differently across deployment rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
-
-:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png":::
-
-## Release management
-
-> [!NOTE]
-> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
-
-In the Release management blade, you can:
-
-- Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
-- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases).
-- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases).
-
-### Release schedule
-
-For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
-
-- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
-- The date the update is available.
-- The target completion date of the update.
-- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pausing-and-resuming-a-release) a Windows quality update release.
-
-### Expedited releases
-
-Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
-
-When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
-
-| Release type | Group | Deferral | Deadline | Grace period |
-| ----- | ----- | ----- | ----- | ----- |
-| Standard release | TestFirst
Fast
Broad | 0
1
6
9 | 0
2
2
5 | 0
2
2
2 |
-| Expedited release | All devices | 0 | 1 | 1 |
-
-> [!IMPORTANT]
-> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates).
-
-#### Turn off service-driven expedited quality update releases
-
-Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
-
-By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune.
-
-**To turn off service-driven expedited quality updates:**
-
-1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
-2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
-
-> [!NOTE]
-> Windows Autopatch doesn't allow customers to request expedited releases.
-
-### Out of Band releases
-
-Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
-
-**To view deployed Out of Band quality updates:**
-
-1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
-2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
-
-> [!NOTE]
-> Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
-
-### Pausing and resuming a release
-
-> [!CAUTION]
-> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
-
-The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
-
-If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
-
-> [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.
For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
-**To pause or resume a Windows quality update:**
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Devices** from the left navigation menu.
-3. Under the **Windows Autopatch** section, select **Release management**.
-4. In the **Release management** blade, select either: **Pause** or **Resume**.
-5. Select the update type you would like to pause or resume.
-6. Select a reason from the dropdown menu.
-7. Optional. Enter details about why you're pausing or resuming the selected update.
-8. If you're resuming an update, you can select one or more deployment rings.
-9. Select **Okay**.
-
-The three following statuses are associated with paused quality updates:
-
-| Status | Description |
-| ----- | ------ |
-| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. |
-| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. |
-| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. |
-
-## Remediating Ineligible and/or Not up to Date devices
-
-To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
deleted file mode 100644
index bf724acb41..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-title: Windows quality update reports
-description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch
-ms.date: 12/01/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: adnich
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows quality update reports
-
-The Windows quality update reports provide you information about:
-
-- Quality update device eligibility
-- Device update health
-- Device update trends
-
-Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
-
-The report types are organized into the following focus areas:
-
-| Focus area | Description |
-| ----- | ----- |
-| Operational detail | - [Summary dashboard](windows-autopatch-windows-quality-update-summary-dashboard.md): Provides the current update status summary for all devices.
- [All devices report](windows-autopatch-windows-quality-update-all-devices-report.md): Provides the current update status of all devices at the device level.
|
-| Device trends | - [All devices report – historical](windows-autopatch-windows-quality-update-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.
- [Eligible devices report – historical](windows-autopatch-windows-quality-update-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.
- [Ineligible devices report – historical](windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.
|
-
-## Who can access the reports?
-
-Users with the following permissions can access the reports:
-
-- Global Administrator
-- Intune Service Administrator
-- Administrators assigned to an Intune role with read permissions
-
-## About data latency
-
-The data source for these reports is the [Windows diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
-
-## Windows quality update statuses
-
-The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices:
-
-- [Healthy devices](#healthy-devices)
-- [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action)
-- [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action)
-
-Each status has its own set of sub statuses to further describe the status.
-
-### Healthy devices
-
-Healthy devices are devices that meet all of the following prerequisites:
-
-- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
-- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
-- [Windows quality update device eligibility](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility)
-
-> [!NOTE]
-> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy.
-
-| Sub status | Description |
-| ----- | ----- |
-| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). |
-| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). |
-| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). |
-
-### Not Up to Date (Microsoft Action)
-
-Not Up to Date means a device isn’t up to date when the:
-
-- Quality update is more than a month out of date, or the device is on last month’s quality update
-- Device is more than 21 days overdue from the last release.
-
-> [!NOTE]
-> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
-
-| Sub status | Description |
-| ----- | ----- |
-| No Heartbeat | The Windows Update service hasn’t been able to connect to this device. The service can’t offer the update to that device. |
-| Not Offered | The Windows Update service hasn’t offered the update to that device. |
-| Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. |
-| In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isn’t complete. |
-| Other | This device isn't up to date and isn’t reporting back data from the client. |
-
-### Ineligible Devices (Customer Action)
-
-Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status.
-
-Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses.
-
-| Sub status | Description |
-| ----- | ----- |
-| Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. |
-| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). |
-| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. |
-| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
-| Not On Supported Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
-| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
-| Intune Sync Older Than 5 Days | Devices must have checked in with Intune within the last five days. |
-
-## Data export
-
-Select **Export devices** to export data for each report type.
-
-> [!NOTE]
-> You can’t export Windows Autopatch report data using Microsoft Graph RESTful web API.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
deleted file mode 100644
index 7f42913f96..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Windows quality update release signals
-description: This article explains the Windows quality update release signals
-ms.date: 01/24/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: conceptual
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: hathind
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows quality update signals
-
-Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
-
-If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release.
-
-## Pre-release signals
-
-Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences.
-
-| Pre-release signal | Description |
-| ----- | ----- |
-| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
-| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. |
-| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. |
-
-## Early signals
-
-The update is released to the Test ring on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several new Microsoft internal signals that have become available to the service that are monitored throughout the release.
-
-| Device reliability signal | Description | Microsoft will |
-| ----- | ----- | ----- |
-| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. | - Consider expediting the release
- Update customers with a risk profile
-| B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. | - Determine if a customer advisory is necessary
- Pause the release if there's significant user impact
|
-| B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary |
-
-## Device reliability signals
-
-Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service.
-
-The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version.
-
-As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update.
-
-Autopatch monitors the following reliability signals:
-
-| Device reliability signal | Description |
-| ----- | ----- |
-| Blue screens | These events are highly disruptive to end users. These events are closely monitored. |
-| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
-| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. |
-| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
-| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
-
-When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
deleted file mode 100644
index 8d1587ce8e..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Summary dashboard
-description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
-ms.date: 12/01/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: adnich
-ms.collection:
- - highpri
- - tier1
----
-
-# Summary dashboard
-
-The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
-
-**To view the current update status for all your enrolled devices:**
-
-1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
-
-:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
-
-> [!NOTE]
-> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
-
-## Report information
-
-The following information is available in the Summary dashboard:
-
-| Column name | Description |
-| ----- | ----- |
-| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). |
-| Devices | The number of devices showing as applicable for the state. |
-
-## Report options
-
-The following option is available:
-
-| Option | Description |
-| ----- | ----- |
-| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
deleted file mode 100644
index e7272739f3..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Customize Windows Update settings
-description: This article explains how to customize Windows Updates in Windows Autopatch
-ms.date: 05/02/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: rekhanr
-ms.collection:
- - highpri
- - tier1
----
-
-# Customize Windows Update settings (public preview)
-
-> [!IMPORTANT]
-> This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback.
-
-You can customize the Windows Update deployment schedule for each deployment ring per your business and organizational needs. We recommend that you use the Windows Autopatch service default. However, you may have devices that need different schedules for updates deployment.
-
-When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
-
-## Deployment cadence
-
-### Cadence types
-
-For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings:
-
-- [Deadline-driven](#deadline-driven)
-- [Scheduled install](#scheduled-install)
-
-> [!NOTE]
-> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update).
-
-#### Deadline-driven
-
-With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
-
-There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance.
-
-| Boundary | Description |
-| ----- | ----- |
-| Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. |
-| Grace period | The permitted customization range is zero to seven days. |
-
-> [!NOTE]
-> The configured grace period will apply to both Windows quality updates and Windows feature updates.
-
-Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied.
-
-It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values.
-
-However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle.
-
-#### Scheduled install
-
-> [!NOTE]
->If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
-
-While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified.
-
-If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option.
-
-> [!NOTE]
-> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type.
-
-Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours.
-
-##### Scheduled install types
-
-> [!NOTE]
-> For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.
-
-The Scheduled install cadence has two options:
-
-| Option | Description |
-| ----- | ----- |
-| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.
-| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.
|
-
-> [!NOTE]
-> Changes made in one deployment ring won't impact other rings in your tenant.Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.
-
-### User notifications
-
-In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings:
-
-- Not configured
-- Use the default Windows Update notifications
-- Turn off all notifications excluding restart warnings
-- Turn off all notifications including restart warnings
-
-For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings).
-
-## Customize the Windows Update deployment cadence
-
-> [!IMPORTANT]
-> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
-**To customize the Windows Update deployment cadence:**
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Customize Windows Update cadence (preview)**. The page lists the existing settings for each of the rings in the tenant.
-3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings.
-4. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings.
- 1. Select one of the cadence types for the ring:
- 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default".
- 1. Select **Scheduled install** to opt-out of deadline-based forced restart.
- 1. Select either **Active hours** or **Schedule install and restart time**.
- 2. Select **Save**.
-5. Select **Manage notifications**. A fly-in pane opens.
- 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications.
- 1. Not configured
- 1. Use the default Windows Update notifications
- 1. Turn off all notifications excluding restart warnings
- 1. Turn off all notifications included restart warnings
- 1. Select **Save** once you select the preferred setting.
-6. Repeat the same process to customize each of the rings. Once done, select **Next**.
-7. In **Review + apply**, you’ll be able to review the selected settings for each of the rings.
-8. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 49693cb754..66e6fd2e1d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
- ms.date: 05/04/2023
+ ms.date: 07/19/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -31,7 +31,7 @@ sections:
Autopatch isn't available for 'A' or 'F' series licensing.
- question: Will Windows Autopatch support local domain join Windows 10?
answer: |
- Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+ Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- question: Will Windows Autopatch be available for state and local government customers?
answer: |
Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 44dc4f822a..4659af2033 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 06/27/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -49,7 +49,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: |
| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | :heavy_check_mark: | :x: |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: |
-| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices-using-the-classic-method) | :heavy_check_mark: | :x: |
+| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
| [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index 90ddcbe791..f0c9059f9c 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -66,7 +66,7 @@ The following groups target Windows Autopatch configurations to devices and mana
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPOAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | - MDM policy is used
- GP policy is blocked
|
-| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
|- [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
- [Configure Telemetry Opt In Settings UX](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
- [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
- [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
- [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
- [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|- Enable telemetry change notifications
- Enable Telemetry opt-in Settings
- Full
- Enabled
- Enabled
- Enabled
|
+| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
|- [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
- [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
- [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
- [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|- Full
- Enabled
- Enabled
- Enabled
|
## Deployment rings for Windows 10 and later
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
deleted file mode 100644
index ed57ff6eee..0000000000
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Autopatch groups Public Preview Addendum
-description: Addendum for Windows Autopatch groups public preview
-ms.date: 05/01/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: andredm7
-ms.collection:
- - highpri
- - tier1
----
-
-# Windows Autopatch groups Public Preview Addendum
-
-**This is the Autopatch groups Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all) (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
-
-For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
-
-Microsoft desires to preview the Autopatch groups service it is developing ("**Autopatch groups Preview**”) in order to evaluate it. Customer would like to particulate this Autopatch groups Preview under the Product Terms and this Addendum. Autopatch groups Preview consists of features and services that are in preview, beta, or other pre-release form. Autopatch groups Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services.
-
-## Definitions
-
-Capitalized terms used but not defined herein have the meanings given in the Product Terms.
-
-## Data Handling
-
-Autopatch groups Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Autopatch groups Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Autopatch groups Preview apply to that data.
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 9954a6d68e..9de83ae27e 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 07/10/2023
+ms.date: 07/25/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -23,6 +23,18 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
## July 2023
+### July feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) | General Availability |
+| [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md) | General Availability |
+| [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md) | General Availability |
+| [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | General Availability |
+| [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) | General Availability |
+| [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md) | General Availability |
+| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | General Availability |
+
### July service releases
| Message center post number | Description |
diff --git a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 83799f7674..2f0412decb 100644
--- a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -44,6 +44,6 @@ WDAC has no specific hardware or software requirements.
## Related articles
-- [Windows Defender Application Control](../../threat-protection/windows-defender-application-control/windows-defender-application-control.md)
+- [Windows Defender Application Control](windows-defender-application-control/wdac.md)
- [Memory integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)
diff --git a/windows/security/application-security/application-control/toc.yml b/windows/security/application-security/application-control/toc.yml
index a0b92c4987..117ebc744f 100644
--- a/windows/security/application-security/application-control/toc.yml
+++ b/windows/security/application-security/application-control/toc.yml
@@ -10,6 +10,6 @@ items:
- name: Windows Defender Application Control and virtualization-based protection of code integrity
href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control
- href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
+ href: windows-defender-application-control/wdac.md
- name: Smart App Control
- href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
+ href: windows-defender-application-control/wdac.md
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index 861c6bc68b..b4983f373e 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -93,6 +93,9 @@ The elevation process is further secured by directing the prompt to the *secure
When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.
+> [!NOTE]
+> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
+
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
index 131622bbf4..9fd23384ff 100644
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -41,7 +41,7 @@ The following instructions provide details how to configure your devices. Select
To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
-:::image type="content" source="./images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="./images/uac-settings-catalog.png" border="True":::
+:::image type="content" source="images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="images/uac-settings-catalog.png" border="True":::
Assign the policy to a security group that contains as members the devices or users that you want to configure.
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
index ab8014b9a5..b8552a63ca 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
@@ -1,35 +1,17 @@
---
title: Testing and Debugging AppId Tagging Policies
description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/29/2022
-ms.technology: itpro-security
ms.topic: article
---
# Testing and Debugging AppId Tagging Policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
+After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
@@ -53,4 +35,4 @@ After verifying the policy has been deployed, the next step is to verify that th
Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
- 
\ No newline at end of file
+ 
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index bf48be5b8d..e8af7434cc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -1,25 +1,13 @@
---
title: Deploying Windows Defender Application Control AppId tagging policies
description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
-ms.prod: windows-client
ms.localizationpriority: medium
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/29/2022
-ms.technology: itpro-security
ms.topic: article
---
# Deploying Windows Defender Application Control AppId tagging policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and later
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
@@ -32,7 +20,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg
## Deploy AppId tagging policies with MDM
-Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId tagging policies with Configuration Manager
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
similarity index 83%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
index 0ed35d4d57..9407cacded 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
@@ -1,41 +1,23 @@
---
title: Create your Windows Defender Application Control AppId Tagging Policies
description: Create your Windows Defender Application Control AppId tagging policies for Windows devices.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/29/2022
-ms.technology: itpro-security
ms.topic: article
---
# Creating your WDAC AppId Tagging Policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## Create the policy using the WDAC Wizard
-You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
+You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md).
1. Create a new base policy using the templates:
- Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
+ Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
@@ -43,7 +25,6 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates.
For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
-
2. Set the following rule-options using the Wizard toggles:
@@ -58,8 +39,7 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
- Package app name rules: Create a rule based off the package family name of an appx/msix.
- Hash rules: Create a rule based off the PE Authenticode hash of a file.
-
- For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../wdac-wizard-create-base-policy.md#creating-custom-file-rules).
+ For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/wdac-wizard-create-base-policy.md#creating-custom-file-rules).
4. Convert to AppId Tagging Policy:
@@ -72,9 +52,9 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
## Create the policy using PowerShell
-Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
+Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md). In an elevate PowerShell instance:
-1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
+1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
```powershell
$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath
@@ -121,4 +101,4 @@ After creating your AppId Tagging policy in the above steps, you can deploy the
RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
## Next Steps
-For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](./debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md).
\ No newline at end of file
+For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
similarity index 79%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
index a509bcee48..2d94e08d99 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
@@ -1,31 +1,13 @@
---
-title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies
+title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies
description: How to design, create, manage and troubleshoot your WDAC AppId Tagging policies
-keywords: security, malware, firewall
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/27/2022
-ms.technology: itpro-security
ms.topic: article
---
# WDAC Application ID (AppId) Tagging guide
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2022 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
similarity index 82%
rename from windows/security/threat-protection/windows-defender-application-control/TOC.yml
rename to windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
index b48a27a876..70c937a286 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
@@ -1,7 +1,7 @@
- name: Application Control for Windows
href: index.yml
- name: About application control for Windows
- href: windows-defender-application-control.md
+ href: wdac.md
expanded: true
items:
- name: WDAC and AppLocker Overview
@@ -9,120 +9,120 @@
- name: WDAC and AppLocker Feature Availability
href: feature-availability.md
- name: Virtualization-based protection of code integrity
- href: ../../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ href: ../introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide
- href: windows-defender-application-control-design-guide.md
+ href: design/wdac-design-guide.md
items:
- name: Plan for WDAC policy lifecycle management
- href: plan-windows-defender-application-control-management.md
+ href: design/plan-wdac-management.md
- name: Design your WDAC policy
items:
- name: Understand WDAC policy design decisions
- href: understand-windows-defender-application-control-policy-design-decisions.md
+ href: design/understand-wdac-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
- href: select-types-of-rules-to-create.md
+ href: design/select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
- href: configure-authorized-apps-deployed-with-a-managed-installer.md
+ href: design/configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
- href: use-windows-defender-application-control-with-intelligent-security-graph.md
+ href: design/use-wdac-with-intelligent-security-graph.md
- name: Allow COM object registration
- href: allow-com-object-registration-in-windows-defender-application-control-policy.md
+ href: design/allow-com-object-registration-in-wdac-policy.md
- name: Use WDAC with .NET hardening
- href: use-windows-defender-application-control-with-dynamic-code-security.md
+ href: design/wdac-and-dotnet.md
- name: Script enforcement with Windows Defender Application Control
href: design/script-enforcement.md
- name: Manage packaged apps with WDAC
- href: manage-packaged-apps-with-windows-defender-application-control.md
+ href: design/manage-packaged-apps-with-wdac.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
- href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ href: design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings
- href: understanding-wdac-policy-settings.md
+ href: design/understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
- href: deploy-multiple-windows-defender-application-control-policies.md
+ href: design/deploy-multiple-wdac-policies.md
- name: Create your WDAC policy
items:
- name: Example WDAC base policies
- href: example-wdac-base-policies.md
+ href: design/example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios
- href: types-of-devices.md
+ href: design/common-wdac-use-cases.md
items:
- name: Create a WDAC policy for lightly managed devices
- href: create-wdac-policy-for-lightly-managed-devices.md
+ href: design/create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices
- href: create-wdac-policy-for-fully-managed-devices.md
+ href: design/create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices
- href: create-initial-default-policy.md
+ href: design/create-wdac-policy-using-reference-computer.md
- name: Create a WDAC deny list policy
- href: create-wdac-deny-policy.md
+ href: design/create-wdac-deny-policy.md
- name: Microsoft recommended block rules
- href: microsoft-recommended-block-rules.md
+ href: design/microsoft-recommended-block-rules.md
- name: Microsoft recommended driver block rules
- href: microsoft-recommended-driver-block-rules.md
+ href: design/microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
- href: wdac-wizard.md
+ href: design/wdac-wizard.md
items:
- name: Create a base WDAC policy with the Wizard
- href: wdac-wizard-create-base-policy.md
+ href: design/wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard
- href: wdac-wizard-create-supplemental-policy.md
+ href: design/wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
- href: wdac-wizard-editing-policy.md
+ href: design/wdac-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events
- href: wdac-wizard-parsing-event-logs.md
+ href: design/wdac-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard
- href: wdac-wizard-merging-policies.md
+ href: design/wdac-wizard-merging-policies.md
- name: WDAC deployment guide
- href: windows-defender-application-control-deployment-guide.md
+ href: deployment/wdac-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
- href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+ href: deployment/deploy-wdac-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with group policy
- href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+ href: deployment/deploy-wdac-policies-using-group-policy.md
- name: Audit WDAC policies
- href: audit-windows-defender-application-control-policies.md
+ href: deployment/audit-wdac-policies.md
- name: Merge WDAC policies
- href: merge-windows-defender-application-control-policies.md
+ href: deployment/merge-wdac-policies.md
- name: Enforce WDAC policies
- href: enforce-windows-defender-application-control-policies.md
+ href: deployment/enforce-wdac-policies.md
- name: Use code signing for added control and protection with WDAC
- href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ href: deployment/use-code-signing-for-better-control-and-protection.md
items:
- name: Deploy catalog files to support WDAC
- href: deploy-catalog-files-to-support-windows-defender-application-control.md
+ href: deployment/deploy-catalog-files-to-support-wdac.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
- href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ href: deployment/use-signed-policies-to-protect-wdac-against-tampering.md
- name: "Optional: Create a code signing cert for WDAC"
- href: create-code-signing-cert-for-windows-defender-application-control.md
+ href: deployment/create-code-signing-cert-for-wdac.md
- name: Disable WDAC policies
- href: disable-windows-defender-application-control-policies.md
+ href: deployment/disable-wdac-policies.md
- name: LOB Win32 Apps on S Mode
- href: LOB-win32-apps-on-s.md
+ href: deployment/LOB-win32-apps-on-s.md
- name: WDAC operational guide
- href: windows-defender-application-control-operational-guide.md
+ href: operations/wdac-operational-guide.md
items:
- name: WDAC debugging and troubleshooting
href: operations/wdac-debugging-and-troubleshooting.md
- name: Understanding Application Control event IDs
- href: event-id-explanations.md
+ href: operations/event-id-explanations.md
- name: Understanding Application Control event tags
- href: event-tag-explanations.md
+ href: operations/event-tag-explanations.md
- name: Query WDAC events with Advanced hunting
- href: querying-application-control-events-centrally-using-advanced-hunting.md
+ href: operations/querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
- href: configure-wdac-managed-installer.md
+ href: operations/configure-wdac-managed-installer.md
- name: CITool.exe technical reference
href: operations/citool-commands.md
- name: Inbox WDAC policies
href: operations/inbox-wdac-policies.md
- name: WDAC AppId Tagging guide
- href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ href: AppIdTagging/wdac-appid-tagging-guide.md
items:
- name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 0af1870a2a..137f9503c0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -1,15 +1,9 @@
---
title: Add rules for packaged apps to existing AppLocker rule-set
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Add rules for packaged apps to existing AppLocker rule-set
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
index 6e41e6c5e2..a8cc845756 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
@@ -1,15 +1,9 @@
---
title: Administer AppLocker
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 02/28/2019
-ms.technology: itpro-security
---
# Administer AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index 37127bd09f..93e671aff7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -1,15 +1,9 @@
---
title: AppLocker architecture and components
description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker architecture and components
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md
index 52acbce003..48067e47b9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md
@@ -1,15 +1,9 @@
---
title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker functions
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
similarity index 99%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index c13e82db76..eaf509458d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -1,9 +1,6 @@
---
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
ms.collection:
- highpri
- tier3
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index 2c37794578..3e609e4176 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -1,15 +1,9 @@
---
title: AppLocker deployment guide
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker deployment guide
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index 0953e691f1..56a059df6a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -1,15 +1,9 @@
---
title: AppLocker design guide
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker design guide
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index e4b467ac07..7657e480fa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -1,15 +1,9 @@
---
title: AppLocker policy use scenarios
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker policy use scenarios
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index f9b3d75543..567b3bafc5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -1,15 +1,9 @@
---
title: AppLocker processes and interactions
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker processes and interactions
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md
similarity index 89%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md
index 2371faff67..956c1904a8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md
@@ -1,15 +1,9 @@
---
title: AppLocker settings
description: This topic for the IT professional lists the settings used by AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker settings
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md
index a4e2b5c421..8f8b29113c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -1,15 +1,9 @@
---
title: AppLocker technical reference
description: This overview topic for IT professionals provides links to the topics in the technical reference.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# AppLocker technical reference
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 762f500737..6e62bb3ccd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -1,15 +1,9 @@
---
title: Configure an AppLocker policy for audit only
description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 06/08/2018
-ms.technology: itpro-security
---
# Configure an AppLocker policy for audit only
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 5677e08745..5ee7082a7e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -1,15 +1,9 @@
---
title: Configure an AppLocker policy for enforce rules
description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Configure an AppLocker policy for enforce rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index d7fb5a0851..ff055ce7c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -1,15 +1,9 @@
---
title: Add exceptions for an AppLocker rule
description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Add exceptions for an AppLocker rule
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index ad878e7040..eb422a3a03 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -1,15 +1,9 @@
---
title: Configure the AppLocker reference device
description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Configure the AppLocker reference device
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index b9261a395b..628b5cd559 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -1,15 +1,9 @@
---
title: Configure the Application Identity service
description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 07/01/2021
-ms.technology: itpro-security
---
# Configure the Application Identity service
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index 357689283c..aafae9fa2d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -1,15 +1,9 @@
---
title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create a rule for packaged apps
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index 592e0d0250..e1c48949a8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -1,15 +1,9 @@
---
title: Create a rule that uses a file hash condition
description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create a rule that uses a file hash condition
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index 019d399434..c6c0413c43 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -1,15 +1,9 @@
---
title: Create a rule that uses a path condition
description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create a rule that uses a path condition
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index b7973d180c..193299df1c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -1,15 +1,9 @@
---
title: Create a rule that uses a publisher condition
description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create a rule that uses a publisher condition
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md
index a9b4962478..98493d5656 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -1,15 +1,9 @@
---
title: Create AppLocker default rules
description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create AppLocker default rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 1811f0ba24..5e8d7b6735 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -1,15 +1,9 @@
---
title: Create a list of apps deployed to each business group
description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create a list of apps deployed to each business group
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md
index 5de5930086..861bf58502 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -1,15 +1,9 @@
---
title: Create Your AppLocker policies
description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create Your AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md
index 5e05fb2c6e..c32cbf3af1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -1,15 +1,9 @@
---
title: Create Your AppLocker rules
description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Create Your AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index e639e46f0b..b531465cdc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -1,15 +1,9 @@
---
title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 03/10/2023
-ms.technology: itpro-security
---
# Delete an AppLocker rule
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index b01a4cb864..0d956ceadf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -1,15 +1,9 @@
---
title: Deploy AppLocker policies by using the enforce rules setting
description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Deploy AppLocker policies by using the enforce rules setting
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index bd454cbc25..da372fd5b0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -1,15 +1,9 @@
---
title: Deploy the AppLocker policy into production
description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Deploy the AppLocker policy into production
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 75cb76fbb6..8c8842e5ae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -1,15 +1,9 @@
---
title: Determine the Group Policy structure and rule enforcement
description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Determine the Group Policy structure and rule enforcement
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index aae68e89c5..a654dfc5f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -1,15 +1,9 @@
---
title: Find digitally signed apps on a reference device
description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Determine which apps are digitally signed on a reference device
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index bd8cd14419..b52c32d46b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -1,15 +1,9 @@
---
title: Determine your application control objectives
description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Determine your application control objectives
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index 050d675248..4f50e071a2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -1,15 +1,9 @@
---
title: Display a custom URL message when users try to run a blocked app
description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Display a custom URL message when users try to run a blocked app
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 641ee98a64..39003c7034 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -1,15 +1,9 @@
---
title: DLL rules in AppLocker
description: This topic describes the file formats and available default rules for the DLL rule collection.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# DLL rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index a99df09d89..5206548f80 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,15 +1,9 @@
---
title: Document Group Policy structure & AppLocker rule enforcement
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Document the Group Policy structure and AppLocker rule enforcement
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md
index 1e1cb3e944..e56f851d85 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md
@@ -1,15 +1,9 @@
---
title: Document your app list
description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Document your app list
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md
index f2803a91f2..5e123e0052 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -1,15 +1,9 @@
---
title: Document your AppLocker rules
description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Document your AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 0ebddf77d5..01166c2ac5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -1,15 +1,9 @@
---
title: Edit an AppLocker policy
description: This topic for IT professionals describes the steps required to modify an AppLocker policy.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Edit an AppLocker policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules.md
index 5c05fb3560..94a7441394 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -1,15 +1,9 @@
---
title: Edit AppLocker rules
description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Edit AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index a97f271c3d..811c73d69f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -1,15 +1,9 @@
---
title: Enable the DLL rule collection
description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Enable the DLL rule collection
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md
index 947a69a2ad..155e7ef8e9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -1,15 +1,9 @@
---
title: Enforce AppLocker rules
description: This topic for IT professionals describes how to enforce application control rules by using AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Enforce AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index 461262fab4..4e0d5303e8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Executable rules in AppLocker
description: This topic describes the file formats and available default rules for the executable rule collection.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Executable rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index bde1c865ad..9e1872b4b8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -1,15 +1,9 @@
---
title: Export an AppLocker policy from a GPO
description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Export an AppLocker policy from a GPO
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
similarity index 89%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index 93e466a216..90737aee69 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -1,15 +1,9 @@
---
title: Export an AppLocker policy to an XML file
description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Export an AppLocker policy to an XML file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md
index e4168feaaa..b05b76c318 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -1,15 +1,9 @@
---
title: How AppLocker works
description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# How AppLocker works
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif b/windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif b/windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/images/blockedappmsg.gif b/windows/security/application-security/application-control/windows-defender-application-control/applocker/images/blockedappmsg.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/images/blockedappmsg.gif
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/images/blockedappmsg.gif
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index c9eee9963c..b7e29c29a1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -1,14 +1,8 @@
---
title: Import an AppLocker policy from another computer
description: This topic for IT professionals describes how to import an AppLocker policy.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
-ms.technology: itpro-security
ms.date: 12/31/2017
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index aa4be6cdf0..40488c8f88 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -1,15 +1,9 @@
---
title: Import an AppLocker policy into a GPO
description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Import an AppLocker policy into a GPO
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
index e9d52b57ce..1a9f1401e7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -1,14 +1,8 @@
---
title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
-ms.technology: itpro-security
ms.date: 12/31/2017
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index d04546c8ee..4d8e825349 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -1,15 +1,9 @@
---
title: Manage packaged apps with AppLocker
description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Manage packaged apps with AppLocker
@@ -70,7 +64,7 @@ Just as there are differences in managing each rule collection, you need to mana
1. Gather information about which Packaged apps are running in your environment. For information about how to gather this information, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
-2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](./understanding-applocker-default-rules.md).
+2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](understanding-applocker-default-rules.md).
3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this update, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index f9ff7dc54d..a51c56cde6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -1,15 +1,9 @@
---
title: Merge AppLocker policies by using Set-ApplockerPolicy
description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Merge AppLocker policies by using Set-ApplockerPolicy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index 41657a25bd..7ec3f23e57 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -1,15 +1,9 @@
---
title: Merge AppLocker policies manually
description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Merge AppLocker policies manually
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index 32c0267869..c251209071 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -1,15 +1,9 @@
---
title: Monitor app usage with AppLocker
description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Monitor app usage with AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
index ef107acf59..8646482c66 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -1,15 +1,9 @@
---
title: Optimize AppLocker performance
description: This topic for IT professionals describes how to optimize AppLocker policy enforcement.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Optimize AppLocker performance
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 48e94f6635..92d016a3dc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Packaged apps and packaged app installer rules in AppLocker
description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 10/13/2017
-ms.technology: itpro-security
---
# Packaged apps and packaged app installer rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
similarity index 99%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index f2e8463f25..2afb56de2f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -1,15 +1,9 @@
---
title: Plan for AppLocker policy management
description: This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Plan for AppLocker policy management
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 06168d1e9a..d4039c3443 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -1,15 +1,9 @@
---
title: Refresh an AppLocker policy
description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Refresh an AppLocker policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 40579e3963..70a6f0b415 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -1,15 +1,9 @@
---
title: Requirements for deploying AppLocker policies
description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Requirements for deploying AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 47b2d12aba..5d2b189772 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,15 +1,9 @@
---
title: Requirements to use AppLocker
description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Requirements to use AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index d6ba932c98..9f331d58f0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -1,15 +1,9 @@
---
title: Run the Automatically Generate Rules wizard
description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Run the Automatically Generate Rules wizard
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md
index bee1694c3a..ea18273ead 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Script rules in AppLocker
description: This article describes the file formats and available default rules for the script rule collection.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 06/15/2022
-ms.technology: itpro-security
---
# Script rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index f32ff85c69..69f190b3f5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -1,15 +1,9 @@
---
title: Security considerations for AppLocker
description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Security considerations for AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 7776bf7386..15f51ed1d5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -1,15 +1,9 @@
---
title: Select the types of rules to create
description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Select the types of rules to create
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index 0c029929bf..bd085cda47 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -1,15 +1,9 @@
---
title: Test an AppLocker policy by using Test-AppLockerPolicy
description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Test an AppLocker policy by using Test-AppLockerPolicy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index 71815be79b..de4fc78024 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -1,15 +1,9 @@
---
title: Test and update an AppLocker policy
description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Test and update an AppLocker policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index 9fcea89142..a683153f73 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -1,15 +1,9 @@
---
title: Tools to use with AppLocker
description: This topic for the IT professional describes the tools available to create and administer AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Tools to use with AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 9b5abb0b0b..db76a5a1bb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -1,15 +1,9 @@
---
title: Understand AppLocker enforcement settings
description: This topic describes the AppLocker enforcement settings for rule collections.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understand AppLocker enforcement settings
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
similarity index 99%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index d61a4fdf98..d9f21105f1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -1,15 +1,9 @@
---
title: Understand AppLocker policy design decisions
description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 10/13/2017
-ms.technology: itpro-security
---
# Understand AppLocker policy design decisions
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index fc99a9815b..363423b61d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -1,15 +1,9 @@
---
title: Understand AppLocker rules and enforcement setting inheritance in Group Policy
description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index ab1522f49e..d06e82f836 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -1,15 +1,9 @@
---
title: Understand the AppLocker policy deployment process
description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understand the AppLocker policy deployment process
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index cec55e8e38..a10756f305 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -1,15 +1,9 @@
---
title: Understanding AppLocker allow and deny actions on rules
description: This topic explains the differences between allow and deny actions on AppLocker rules.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding AppLocker allow and deny actions on rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index 606e9924ec..764edf8acd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -1,15 +1,9 @@
---
title: Understanding AppLocker default rules
description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding AppLocker default rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index 377eb5019a..7a6eea342e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -1,15 +1,9 @@
---
title: Understanding AppLocker rule behavior
description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding AppLocker rule behavior
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index 1787c045ef..3f9f5ad500 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -1,15 +1,9 @@
---
title: Understanding AppLocker rule collections
description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding AppLocker rule collections
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index b26445b191..bad3241ee2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -1,15 +1,9 @@
---
title: Understanding AppLocker rule condition types
description: This topic for the IT professional describes the three types of AppLocker rule conditions.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding AppLocker rule condition types
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index 71ae842b65..416310d176 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -1,15 +1,9 @@
---
title: Understanding AppLocker rule exceptions
description: This topic describes the result of applying AppLocker rule exceptions to rule collections.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding AppLocker rule exceptions
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index 6e13561e2c..9c95ff5c19 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Understanding the file hash rule condition in AppLocker
description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding the file hash rule condition in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 5d3e6d2d29..4a28e77011 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Understanding the path rule condition in AppLocker
description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding the path rule condition in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index dbc7fe282d..a915c31c36 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Understanding the publisher rule condition in AppLocker
description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Understanding the publisher rule condition in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index eb14fbd674..c86f226134 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -1,15 +1,9 @@
---
title: Use a reference device to create and maintain AppLocker policies
description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.reviewer:
-ms.technology: itpro-security
---
# Use a reference device to create and maintain AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 9415499e71..a8a22bcdb4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -1,15 +1,9 @@
---
title: Use AppLocker and Software Restriction Policies in the same domain
description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/07/2022
-ms.technology: itpro-security
---
# Use AppLocker and Software Restriction Policies in the same domain
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 155e3e6d17..aed93b7f33 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -1,15 +1,9 @@
---
title: Use the AppLocker Windows PowerShell cmdlets
description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Use the AppLocker Windows PowerShell cmdlets
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 2aedf66058..35cecd0bee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -1,14 +1,8 @@
---
title: Using Event Viewer with AppLocker
description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
-ms.technology: itpro-security
ms.date: 02/02/2023
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
similarity index 97%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index d8b071c1c2..e822da9f1b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -1,15 +1,9 @@
---
title: Use Software Restriction Policies and AppLocker policies
description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Use Software Restriction Policies and AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md
index 68586393f4..e976eb85b8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md
@@ -1,15 +1,9 @@
---
title: What Is AppLocker
description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# What Is AppLocker?
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 9a410a20af..9f51d9f474 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -1,15 +1,9 @@
---
title: Windows Installer rules in AppLocker
description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Windows Installer rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
index 8e4a0a0395..0f287537b8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -1,15 +1,9 @@
---
title: Working with AppLocker policies
description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Working with AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
similarity index 99%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 8d170ef5ed..57c5eaa7cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -1,15 +1,9 @@
---
title: Working with AppLocker rules
description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.prod: windows-client
-author: vinaypamnani-msft
ms.localizationpriority: medium
msauthor: v-anbic
ms.date: 08/27/2018
-ms.technology: itpro-security
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/LOB-win32-apps-on-s.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/LOB-win32-apps-on-s.md
index 04b3c1eaac..965a20c625 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/LOB-win32-apps-on-s.md
@@ -1,25 +1,15 @@
---
title: Allow LOB Win32 apps on Intune-managed S Mode devices
description: Using Windows Defender Application Control (WDAC) supplemental policies, you can expand the S Mode base policy on your Intune-managed devices.
-ms.prod: windows-client
ms.localizationpriority: medium
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/05/2023
-ms.technology: itpro-security
ms.topic: how-to
---
# Allow line-of-business Win32 apps on Intune-managed S Mode devices
-**Applies to:**
-
-- Windows 10
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
You can use Microsoft Intune to deploy and run critical Win32 applications, and Windows components that are normally blocked in S mode, on your Intune-managed Windows 10 in S mode devices. For example, PowerShell.exe.
@@ -31,7 +21,7 @@ For an overview and brief demo of this feature, see this video:
## Policy authorization process
-
+
The general steps for expanding the S mode base policy on your Intune-managed Windows 10 in S mode devices are to generate a supplemental policy, sign that policy, upload the signed policy to Intune, and assign it to user or device groups. Because you need access to PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, before deploying the policy more broadly, assign it to a single test Windows 10 in S mode device to verify expected functioning.
@@ -39,7 +29,7 @@ The general steps for expanding the S mode base policy on your Intune-managed Wi
This policy expands the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy is allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
- For more information on creating supplemental policies, see [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md). For more information on the right type of rules to create for your policy, see [Deploy WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+ For more information on creating supplemental policies, see [Deploy multiple WDAC policies](../design/deploy-multiple-wdac-policies.md). For more information on the right type of rules to create for your policy, see [Deploy WDAC policy rules and file rules](../design/select-types-of-rules-to-create.md).
The following instructions are a basic set for creating an S mode supplemental policy:
@@ -81,7 +71,7 @@ The general steps for expanding the S mode base policy on your Intune-managed Wi
2. Sign the policy.
- Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md).
+ Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for WDAC](create-code-signing-cert-for-wdac.md).
> [!TIP]
> For more information, see [Azure Code Signing, democratizing trust for developers and consumers](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669).
@@ -97,19 +87,19 @@ The general steps for expanding the S mode base policy on your Intune-managed Wi
## Standard process for deploying apps through Intune
-
+
For more information on the existing procedure of packaging signed catalogs and app deployment, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
## Optional: Process for deploying apps using catalogs
-
+
Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that authorizes all apps signed by that certificate, which may include apps you don't want to allow as well.
Instead of authorizing signers external to your organization, Intune has functionality to make it easier to authorize existing applications by using signed catalogs. This feature doesn't require repackaging or access to the source code. It works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
-The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown earlier in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined earlier. For more information on generating catalogs, see [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md).
+The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown earlier in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined earlier. For more information on generating catalogs, see [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-wdac.md).
> [!NOTE]
> Every time an app updates, you need to deploy an updated catalog. Try to avoid using catalog files for applications that auto-update, and direct users not to update applications on their own.
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
index 356adb95d7..98ac6cf37d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
@@ -1,33 +1,15 @@
---
-title: Use audit events to create WDAC policy rules
+title: Use audit events to create WDAC policy rules
description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 05/03/2018
-ms.technology: itpro-security
ms.topic: article
---
# Use audit events to create WDAC policy rules
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
@@ -36,18 +18,18 @@ While a WDAC policy is running in audit mode, any binary that runs but would hav
## Overview of the process to create WDAC policy to allow apps using audit events
> [!Note]
-> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
+> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](wdac-deployment-guide.md).
To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
1. Install and run an application not allowed by the WDAC policy but that you want to allow.
-2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
+2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](../operations/event-id-explanations.md).
**Figure 1. Exceptions to the deployed WDAC policy**
- 
+ 
-3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
+3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](../design/create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
```powershell
$PolicyName= "Lamna_FullyManagedClients_Audit"
@@ -59,13 +41,13 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
```powershell
- New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash -UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
```
> [!NOTE]
- > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](../design/select-types-of-rules-to-create.md).
-5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
+5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](../design/wdac-wizard-editing-policy.md)).
6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
@@ -74,6 +56,6 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
- For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
+ For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-wdac-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](../design/deploy-multiple-wdac-policies.md).
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
similarity index 87%
rename from windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
index 8050e17b08..cfa497a317 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
@@ -1,35 +1,17 @@
---
-title: Create a code signing cert for Windows Defender Application Control
+title: Create a code signing cert for Windows Defender Application Control
description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
ms.topic: conceptual
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 12/01/2022
-ms.technology: itpro-security
---
# Optional: Create a code signing cert for Windows Defender Application Control
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
+As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
@@ -45,7 +27,7 @@ If you have an internal CA, complete these steps to create a code signing certif
2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console.
- 
+ 
Figure 1. Manage the certificate templates
@@ -61,7 +43,7 @@ If you have an internal CA, complete these steps to create a code signing certif
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
- 
+ 
Figure 2. Select constraints on the new template
@@ -77,7 +59,7 @@ When this certificate template has been created, you must publish it to the CA p
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3.
- 
+ 
Figure 3. Select the new certificate template to issue
@@ -95,7 +77,7 @@ Now that the template is available to be issued, you must request one from the c
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
- 
+ 
Figure 4. Get more information for your code signing certificate
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
similarity index 93%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
index e49832fb80..bc9542abec 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
@@ -1,31 +1,19 @@
---
title: Deploy catalog files to support Windows Defender Application Control
description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
-ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: how-to
-author: jsuther1974
-ms.reviewer: jgeurten
-ms.author: vinpa
-manager: aaroncz
ms.date: 11/30/2022
-ms.technology: itpro-security
---
# Deploy catalog files to support Windows Defender Application Control
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and later
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
-You need to [obtain a code signing certificate for your own use](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
+You need to [obtain a code signing certificate for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned.
@@ -46,7 +34,7 @@ To create a catalog file for an existing app, you can use a tool called **Packag
$PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip"
```
- Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deployment/deploy-wdac-policies-with-script.md).
+ Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deploy-wdac-policies-with-script.md).
2. Start Package Inspector to monitor file creation on a **local drive** where you install the app, for example, drive C:
@@ -121,7 +109,7 @@ For the code signing certificate that you use to sign the catalog file, import i
3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
- 
+ 
Figure 1. Verify that the signing certificate exists.
@@ -144,7 +132,7 @@ The following process walks you through the deployment of a signed catalog file
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies.
- 
+ 
Figure 2. Create a new GPO.
@@ -154,7 +142,7 @@ The following process walks you through the deployment of a signed catalog file
5. Within the selected GPO, navigate to **Computer Configuration\\Preferences\\Windows Settings\\Files**. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
- 
+ 
Figure 3. Create a new file.
@@ -164,7 +152,7 @@ The following process walks you through the deployment of a signed catalog file
7. To keep versions consistent, in the **New File Properties** dialog box as shown in Figure 4, select **Replace** from the **Action** list so that the newest version is always used.
- 
+ 
Figure 4. Set the new file properties.
@@ -197,7 +185,7 @@ Complete the following steps to create a new deployment package for catalog file
3. Name the package, set your organization as the manufacturer, and select an appropriate version number.
- 
+ 
Figure 5. Specify information about the new package.
@@ -218,7 +206,7 @@ Complete the following steps to create a new deployment package for catalog file
- From the **Program can run** list, select **Whether or not a user is logged on**.
- From the **Drive mode** list, select **Runs with UNC name**.
- 
+ 
Figure 6. Specify information about the standard program.
@@ -246,7 +234,7 @@ After you create the deployment package, deploy it to a collection so that the c
- Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
- 
+ 
Figure 7. Specify the user experience.
@@ -271,13 +259,13 @@ You can configure software inventory to find catalog files on your managed syste
3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
- 
+ 
Figure 8. Select custom settings.
4. In the navigation pane, select **Software Inventory**, and then select **Set Types**, as shown in Figure 9.
- 
+ 
Figure 9. Set the software inventory.
@@ -290,7 +278,7 @@ You can configure software inventory to find catalog files on your managed syste
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type `C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}` in the box, as shown in Figure 10.
- 
+ 
Figure 10. Set the path properties.
@@ -313,7 +301,7 @@ At the time of the next software inventory cycle, when the targeted clients rece
## Allow apps signed by your catalog signing certificate in your WDAC policy
-Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md).
+Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](../design/wdac-design-guide.md).
On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the following sample:
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
similarity index 85%
rename from windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
index 752243780c..aed9b36b5b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
@@ -1,36 +1,18 @@
---
-title: Deploy WDAC policies via Group Policy
+title: Deploy WDAC policies via Group Policy
description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 01/23/2023
-ms.technology: itpro-security
ms.topic: article
---
# Deploy Windows Defender Application Control policies by using Group Policy
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
@@ -50,7 +32,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**.
> [!NOTE]
- > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
+ > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../design/plan-wdac-management.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
index b1f05c013f..1909066094 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
@@ -1,32 +1,20 @@
---
-title: Deploy WDAC policies using Mobile Device Management (MDM)
+title: Deploy WDAC policies using Mobile Device Management (MDM)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
-ms.prod: windows-client
-ms.technology: itpro-security
ms.localizationpriority: medium
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 01/23/2023
ms.topic: how-to
---
# Deploy WDAC policies using Mobile Device Management (MDM)
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
@@ -50,7 +38,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
## Deploy WDAC policies with custom OMA-URI
> [!NOTE]
-> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
+> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../design/deploy-multiple-wdac-policies.md) which allow more granular policy.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 72b2f4c5a2..d4135733c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -1,12 +1,6 @@
---
title: Deploy Windows Defender Application Control policies with Configuration Manager
description: You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
-ms.prod: windows-client
-ms.technology: itpro-security
-author: jgeurten
-ms.reviewer: aaroncz
-ms.author: jogeurte
-manager: aaroncz
ms.date: 06/27/2022
ms.topic: how-to
ms.localizationpriority: medium
@@ -14,12 +8,6 @@ ms.localizationpriority: medium
# Deploy WDAC policies by using Microsoft Configuration Manager
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index b674d5c2b0..a96124b086 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -1,28 +1,14 @@
---
-title: Deploy Windows Defender Application Control (WDAC) policies using script
+title: Deploy Windows Defender Application Control (WDAC) policies using script
description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide.
-keywords: security, malware
-ms.prod: windows-client
-audience: ITPro
-author: jsuther1974
-ms.reviewer: aaroncz
-ms.author: jogeurte
ms.manager: jsuther
-manager: aaroncz
ms.date: 01/23/2023
-ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
---
# Deploy WDAC policies using script
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -31,7 +17,7 @@ This article describes how to deploy Windows Defender Application Control (WDAC)
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
index 11ea39bbe9..5c4d60cfa8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
@@ -1,33 +1,15 @@
---
-title: Remove Windows Defender Application Control policies
+title: Remove Windows Defender Application Control policies
description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 11/04/2022
-ms.technology: itpro-security
ms.topic: article
---
# Remove Windows Defender Application Control (WDAC) policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## Removing WDAC policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
index 082b0a5d27..9000c01d85 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
@@ -1,30 +1,16 @@
---
-title: Enforce Windows Defender Application Control (WDAC) policies
+title: Enforce Windows Defender Application Control (WDAC) policies
description: Learn how to switch a WDAC policy from audit to enforced mode.
-keywords: security, malware
-ms.prod: windows-client
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: jogeurte
ms.manager: jsuther
-manager: aaroncz
ms.date: 04/22/2021
-ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
---
# Enforce Windows Defender Application Control (WDAC) policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You should now have one or more Windows Defender Application Control policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
@@ -33,11 +19,11 @@ You should now have one or more Windows Defender Application Control policies br
## Convert WDAC **base** policy from audit to enforced
-As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As described in [common Windows Defender Application Control deployment scenarios](../design/common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
-Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
+Alice previously created and deployed a policy for the organization's [fully managed devices](../design/create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-wdac-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
@@ -55,8 +41,7 @@ Alice previously created and deployed a policy for the organization's [fully man
$EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
```
-
-3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
+3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 ("Advanced Boot Options Menu") and 10 ("Boot Audit on Failure"). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
```powershell
Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
@@ -111,4 +96,4 @@ Since the enforced policy was given a unique PolicyID in the previous procedure,
## Deploy your enforced policy and supplemental policies
-Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
+Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](wdac-deployment-guide.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
similarity index 88%
rename from windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
index 53b1e0a448..20bf91ea2a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
@@ -1,30 +1,16 @@
---
-title: Merge Windows Defender Application Control policies (WDAC)
+title: Merge Windows Defender Application Control policies (WDAC)
description: Learn how to merge WDAC policies as part of your policy lifecycle management.
-keywords: security, malware
-ms.prod: windows-client
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: jogeurte
ms.manager: jsuther
-manager: aaroncz
ms.date: 04/22/2021
-ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
---
# Merge Windows Defender Application Control (WDAC) policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. Windows Defender Application Control deployments often include a few base policies and optional supplemental policies for specific use cases.
@@ -33,7 +19,7 @@ This article shows how to merge multiple policy XML files together and how to me
## Merge multiple WDAC policy XML files together
-There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create Windows Defender Application Control policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
+There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create Windows Defender Application Control policy rules](audit-wdac-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
1. Initialize the variables that will be used:
@@ -57,7 +43,7 @@ There are many scenarios where you may want to merge two or more policy files to
Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:
-1. Install the [WDAC Wizard](wdac-wizard.md) packaged MSIX app.
+1. Install the [WDAC Wizard](../design/wdac-wizard.md) packaged MSIX app.
2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe.
3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:
@@ -94,4 +80,4 @@ Now that you have your new, merged policy, you can convert and deploy the policy
2. Upload your merged policy XML and the associated binary to the source control solution you are using for your Windows Defender Application Control policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
-3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md)
+3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](wdac-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
index 32b34dfe20..8bc12aa239 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
@@ -1,27 +1,15 @@
---
title: Use code signing for added control and protection with WDAC
description: Code signing can be used to better control Win32 app authorization and add protection for your Windows Defender Application Control (WDAC) policies.
-ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: conceptual
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 11/29/2022
-ms.technology: itpro-security
---
# Use code signing for added control and protection with Windows Defender Application Control
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
## What is code signing and why is it important?
@@ -38,7 +26,7 @@ You can use catalog files to easily add a signature to an existing application w
> [!NOTE]
> Since catalogs identify the files they sign by hash, any change to the file may invalidate its signature. You will need to deploy updated catalog signatures any time the application is updated. Integrating code signing with your app development or app deployment processes is generally the best approach. Be aware of self-updating apps, as their app binaries may change without your knowledge.
-To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
+To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-wdac.md).
## Signed WDAC policies
@@ -51,5 +39,5 @@ For more information on using signed policies, see [Use signed policies to prote
Some ways to obtain code signing certificates for your own use, include:
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
-- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
+- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
index ef0985446c..72139cebfa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
@@ -1,31 +1,19 @@
---
title: Use signed policies to protect Windows Defender Application Control against tampering
description: Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
-ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: conceptual
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 11/04/2022
-ms.technology: itpro-security
---
# Use signed policies to protect Windows Defender Application Control against tampering
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure or blue screen. With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies.
-If you don't currently have a code signing certificate you can use to sign your policies, see [Obtain code signing certificates for your own use](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md#obtain-code-signing-certificates-for-your-own-use).
+If you don't currently have a code signing certificate you can use to sign your policies, see [Obtain code signing certificates for your own use](use-code-signing-for-better-control-and-protection.md#obtain-code-signing-certificates-for-your-own-use).
> [!WARNING]
> Boot failure, or blue screen, may occur if your signing certificate doesn't follow these rules:
@@ -35,7 +23,7 @@ If you don't currently have a code signing certificate you can use to sign your
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
-Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](../design/select-types-of-rules-to-create.md).
> [!NOTE]
> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a `` rule to the Base policy.
@@ -51,7 +39,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
```
> [!NOTE]
- > This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
+ > This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](../design/create-wdac-policy-using-reference-computer.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
2. Navigate to your desktop as the working directory:
@@ -71,7 +59,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
```
> [!IMPORTANT]
- > Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove Windows Defender Application Control policies causing boot stop failures](disable-windows-defender-application-control-policies.md#remove-wdac-policies-causing-boot-stop-failures).
+ > Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove Windows Defender Application Control policies causing boot stop failures](disable-wdac-policies.md#remove-wdac-policies-causing-boot-stop-failures).
4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
@@ -101,7 +89,7 @@ Before you attempt to deploy a signed policy, you should first deploy an unsigne
If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files:
-1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
+1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
2. Sign the WDAC policy by using SignTool.exe:
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
rename to windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
index 57b049afc6..90bdaa9748 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
@@ -1,29 +1,17 @@
---
title: Deploying Windows Defender Application Control (WDAC) policies
description: Learn how to plan and implement a WDAC deployment.
-ms.prod: windows-client
-ms.technology: itpro-security
ms.localizationpriority: medium
-author: jgeurten
-ms.reviewer: aaroncz
-ms.author: jogeurte
-manager: jsuther
ms.date: 01/23/2023
ms.topic: overview
---
# Deploying Windows Defender Application Control (WDAC) policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding.
+You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](../design/wdac-design-guide.md), do so now before proceeding.
## Convert your WDAC policy XML to binary
@@ -56,13 +44,13 @@ All Windows Defender Application Control policy changes should be deployed in au
## Choose how to deploy WDAC policies
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-wdac-policies-with-script.md) in this case.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
-- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
-- [Deploy using Microsoft Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
-- [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
-- [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
+- [Deploy using a Mobile Device Management (MDM) solution](deploy-wdac-policies-using-intune.md), such as Microsoft Intune
+- [Deploy using Microsoft Configuration Manager](deploy-wdac-policies-with-memcm.md)
+- [Deploy via script](deploy-wdac-policies-with-script.md)
+- [Deploy via group policy](deploy-wdac-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
similarity index 91%
rename from windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
index abfdd65aed..ad1b478b40 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
@@ -1,33 +1,15 @@
---
-title: Allow COM object registration in a WDAC policy
+title: Allow COM object registration in a WDAC policy
description: You can allow COM object registration in a Windows Defender Application Control policy.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: vinaypamnani-msft
-ms.reviewer: jsuther
-ms.author: vinpa
-manager: aaroncz
-ms.technology: itpro-security
ms.date: 04/05/2023
ms.topic: article
---
# Allow COM object registration in a Windows Defender Application Control policy
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and later
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.
@@ -38,8 +20,8 @@ Windows Defender Application Control (WDAC) enforces a built-in allowlist for CO
> [!NOTE]
> To add this functionality to other versions of Windows 10, you can install the following or later updates.
-- [Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592)](https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
-- [Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053)](https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
+- [Windows 10, 1809 June 18, 2019-KB4501371 (OS Build 17763.592)](https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
+- [Windows 10, 1607 June 18, 2019-KB4503294 (OS Build 14393.3053)](https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
### Get COM object GUID
@@ -49,13 +31,13 @@ You can get the COM application GUID from the 8036 COM object block events in Ev
Three elements:
-- Provider: platform on which code is running (values are PowerShell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
+- Provider: platform on which code is running (values are PowerShell, WSH, IE, VBA, MSI, or a wildcard "AllHostIds")
- Key: GUID for the program you wish to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
- ValueName: needs to be set to "EnterpriseDefinedClsId"
One attribute:
-- Value: needs to be “true” for allow and “false” for deny
+- Value: needs to be "true" for allow and "false" for deny
> [!NOTE]
> Deny only works in base policies, not supplemental policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
similarity index 84%
rename from windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
index 4d96a0ba7f..2d96cac781 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
@@ -1,35 +1,17 @@
---
-title: Policy creation for common WDAC usage scenarios
+title: Policy creation for common WDAC usage scenarios
description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/05/2023
-ms.technology: itpro-security
ms.topic: article
---
# Windows Defender Application Control deployment in different scenarios: types of devices
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It's common for organizations to have device use cases across each of the categories described.
+Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply "turn on." The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It's common for organizations to have device use cases across each of the categories described.
## Types of devices
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
index 9c86b54151..6154ff435d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -1,33 +1,15 @@
---
-title: Allow apps deployed with a WDAC managed installer
+title: Allow apps deployed with a WDAC managed installer
description: Explains how to configure a custom Managed Installer.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 02/02/2023
-ms.technology: itpro-security
ms.topic: article
---
# Automatically allow apps deployed by a managed installer with Windows Defender Application Control
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2019 and above
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune.
@@ -230,15 +212,15 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables
Set-RuleOption -FilePath -Option 13
```
-4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
+4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](../deployment/wdac-deployment-guide.md).
> [!NOTE]
> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer.
## Remove Managed Installer feature
-To remove the Managed Installer feature from the device, you'll need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
+To remove the Managed Installer feature from the device, you'll need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](../applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
## Related articles
-- [Managed installer and ISG technical reference and troubleshooting guide](configure-wdac-managed-installer.md)
+- [Managed installer and ISG technical reference and troubleshooting guide](../operations/configure-wdac-managed-installer.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
index ff87d17d02..3dcec18e4f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
@@ -1,19 +1,7 @@
---
title: Create WDAC Deny Policy
description: Explains how to create WDAC deny policies
-keywords: WDAC, policy
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
-ms.technology: itpro-security
ms.date: 12/31/2017
ms.topic: article
---
@@ -72,7 +60,7 @@ Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $Exist
## Best Practices
-1. **Test first in Audit mode** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3076 audit block events](event-id-explanations.md) to ensure only the applications you intended to block are blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md)
+1. **Test first in Audit mode** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3076 audit block events](../operations/event-id-explanations.md) to ensure only the applications you intended to block are blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](../operations/wdac-operational-guide.md)
2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be used if necessary. Since the hash of a file changes with any change to the file, it's hard to keep up with a hash-based block policy where the attacker can trivially update the file. While WDAC has optimized parsing of hash rules, some devices may see performance impacts at runtime evaluation if policies have tens of thousands or more hash rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-fully-managed-devices.md
similarity index 89%
rename from windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-fully-managed-devices.md
index d19e40f9be..76720b9535 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-fully-managed-devices.md
@@ -1,40 +1,22 @@
---
-title: Create a WDAC policy for fully managed devices
+title: Create a WDAC policy for fully managed devices
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in system core.
-keywords: security, malware
ms.topic: conceptual
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 11/07/2022
-ms.technology: itpro-security
---
# Create a WDAC policy for fully managed devices
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
> [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
-As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As described in [common Windows Defender Application Control deployment scenarios](common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
@@ -54,12 +36,12 @@ Alice's team develops a simple console application, called *LamnaITInstaller.exe
Based on the above, Alice defines the pseudo-rules for the policy:
-1. **“Windows works”** rules that authorize:
+1. **"Windows works"** rules that authorize:
- Windows
- WHQL (third-party kernel drivers)
- Windows Store signed apps
-2. **"ConfigMgr works”** rules that include signer and hash rules for Configuration Manager components to properly function.
+2. **"ConfigMgr works"** rules that include signer and hash rules for Configuration Manager components to properly function.
3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer)
The critical differences between this set of pseudo-rules and those pseudo-rules defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
@@ -163,5 +145,5 @@ Alice has defined a policy for Lamna's fully managed devices that makes some tra
## Up next
-- [Create a Windows Defender Application Control policy for fixed-workload devices using a reference computer](create-initial-default-policy.md)
-- [Prepare to deploy Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md)
\ No newline at end of file
+- [Create a Windows Defender Application Control policy for fixed-workload devices using a reference computer](create-wdac-policy-using-reference-computer.md)
+- [Prepare to deploy Windows Defender Application Control policies](../deployment/wdac-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-lightly-managed-devices.md
similarity index 89%
rename from windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-lightly-managed-devices.md
index af912de157..d4b6d3f256 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-lightly-managed-devices.md
@@ -1,40 +1,22 @@
---
-title: Create a WDAC policy for lightly managed devices
+title: Create a WDAC policy for lightly managed devices
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
-keywords: security, malware
ms.topic: conceptual
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 11/07/2022
-ms.technology: itpro-security
---
# Create a WDAC policy for lightly managed devices
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles.
> [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
-As in [Windows Defender Application Control deployment in different scenarios: types of devices](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As in [Windows Defender Application Control deployment in different scenarios: types of devices](common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
@@ -52,12 +34,12 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
Based on the above, Alice defines the pseudo-rules for the policy:
-1. **“Windows works”** rules that authorize:
+1. **"Windows works"** rules that authorize:
- Windows
- WHQL (third-party kernel drivers)
- Windows Store signed apps
-1. **"ConfigMgr works”** rules that include:
+1. **"ConfigMgr works"** rules that include:
- Signer and hash rules for Configuration Manager components to properly function.
- **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
@@ -97,7 +79,7 @@ Alice follows these steps to complete this task:
1. Modify the policy to remove unsupported rule:
> [!NOTE]
- > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
+ > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](../wdac.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
```powershell
[xml]$xml = Get-Content $LamnaPolicy
@@ -191,7 +173,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
- **Intelligent Security Graph (ISG)**
- See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
+ See [security considerations with the Intelligent Security Graph](use-wdac-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
Possible mitigations:
@@ -227,4 +209,4 @@ In order to minimize user productivity impact, Alice has defined a policy that m
## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
-- [Prepare to deploy Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md)
\ No newline at end of file
+- [Prepare to deploy Windows Defender Application Control policies](../deployment/wdac-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
similarity index 87%
rename from windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
index 7a10547365..77a4402365 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
@@ -1,46 +1,28 @@
---
-title: Create a WDAC policy using a reference computer
+title: Create a WDAC policy using a reference computer
description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 08/08/2022
-ms.technology: itpro-security
ms.topic: article
---
# Create a WDAC policy using a reference computer
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity.
> [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
-As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As described in [common Windows Defender Application Control deployment scenarios](common-wdac-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
## Create a custom base policy using a reference device
-Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on.
+Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a "golden" image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on.
> [!NOTE]
> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.
Each installed software application should be validated as trustworthy before you create a policy.
We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer.
@@ -53,7 +35,7 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
Based on the above, Alice defines the pseudo-rules for the policy:
-1. **“Windows works”** rules that authorize:
+1. **"Windows works"** rules that authorize:
- Windows
- WHQL (third-party kernel drivers)
- Windows Store signed apps
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
index 63c927ae1a..1d76e0e5a9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
@@ -1,33 +1,15 @@
---
-title: Use multiple Windows Defender Application Control Policies
+title: Use multiple Windows Defender Application Control Policies
description: Windows Defender Application Control supports multiple code integrity policies for one device.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 07/19/2021
-ms.technology: itpro-security
ms.topic: article
---
# Use multiple Windows Defender Application Control Policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
@@ -116,4 +98,3 @@ For more information on deploying multiple policies, optionally using Microsoft
* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies.md
index fdbd1d7ecc..e186ea2bb6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies.md
@@ -2,26 +2,14 @@
title: Example Windows Defender Application Control base policies
description: When creating a Windows Defender Application Control (WDAC) policy for an organization, start from one of the many available example base policies.
ms.topic: reference
-ms.prod: windows-client
ms.localizationpriority: medium
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 03/31/2023
-ms.technology: itpro-security
---
# Windows Defender Application Control example base policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use. These example policies are provided "as-is". You should thoroughly test the policies you deploy using safe deployment methods.
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
index aa63cd5b61..db1a336471 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
@@ -1,33 +1,15 @@
---
-title: Manage packaged apps with WDAC
+title: Manage packaged apps with WDAC
description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
ms.date: 03/01/2023
-ms.technology: itpro-security
ms.topic: article
---
# Manage Packaged Apps with Windows Defender Application Control
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
@@ -96,7 +78,7 @@ Use the following steps to create a WDAC PFN rule for an app that is installed o
7. Select **Create Rule**.
8. Create any other rules desired, then complete the Wizard.
-
+
##### Create a PFN rule using a custom string
@@ -109,4 +91,4 @@ Use the following steps to create a PFN rule with a custom string value:
5. Select **Create Rule**.
6. Create any other rules desired, then complete the Wizard.
-
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
similarity index 99%
rename from windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
index 3b7f22c1df..ebc63fd06e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
@@ -1,27 +1,15 @@
---
title: Microsoft recommended block rules
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
-ms.prod: windows-client
-ms.technology: itpro-security
ms.localizationpriority: medium
-author: jsuther1974
-ms.reviewer: jgeurten
-ms.author: vinpa
-manager: aaroncz
ms.date: 06/14/2023
ms.topic: reference
---
# Microsoft recommended block rules
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
@@ -99,7 +87,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
> [!NOTE]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
-Certain software applications may allow other code to run by design. Unless these applications are business critical, you should block them in your WDAC policy. In addition, when an application version is upgraded to fix a security vulnerability or potential WDAC bypass, add *deny* rules to your application control policies for that application’s previous, less secure versions.
+Certain software applications may allow other code to run by design. Unless these applications are business critical, you should block them in your WDAC policy. In addition, when an application version is upgraded to fix a security vulnerability or potential WDAC bypass, add *deny* rules to your application control policies for that application's previous, less secure versions.
Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass WDAC. These modules can be blocked by their corresponding hashes.
@@ -198,7 +186,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
-
+