+
+
+
@@ -1375,6 +1416,8 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1390,11 +1433,13 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1413,6 +1458,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1426,6 +1472,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1493,6 +1540,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1774,12 +1822,14 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -1788,6 +1838,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -1911,6 +1962,48 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2013,6 +2106,8 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -2034,9 +2129,12 @@ To check that the policy was successfully applied on your computer:
+
+
+
@@ -2072,6 +2170,10 @@ To check that the policy was successfully applied on your computer:
+
+
+
+
@@ -2080,6 +2182,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -2094,6 +2197,8 @@ To check that the policy was successfully applied on your computer:
+
+
@@ -2107,6 +2212,7 @@ To check that the policy was successfully applied on your computer:
+
@@ -2148,1055 +2254,1087 @@ To check that the policy was successfully applied on your computer:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3219,7 +3357,7 @@ To check that the policy was successfully applied on your computer:
- 10.0.25880.0
+ 10.0.25930.0
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index 7bc080da18..a5798f2f02 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -2,7 +2,7 @@
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium
-ms.date: 06/07/2023
+ms.date: 08/11/2023
ms.topic: article
---
@@ -127,7 +127,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r
### User-writable filepaths
-By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access.
+By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allow write access for admin users.
There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
index 53788ab824..170525c906 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
@@ -3,6 +3,8 @@ title: Managing CI Policies and Tokens with CiTool
description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
ms.topic: how-to
ms.date: 04/05/2023
+appliesto:
+- ✅ Windows 11
---
# CiTool technical reference
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index 7ee7a13013..22e5196913 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -5,7 +5,8 @@ ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
-ms.date: 04/06/2023
+- must-keep
+ms.date: 08/30/2023
ms.topic: article
---
@@ -32,9 +33,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## WDAC and Smart App Control
-Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
-Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@@ -47,7 +48,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
index 93ffec5801..5b544490b0 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -46,15 +46,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
-|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higherWindows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
-|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise or Pro or Education|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
+|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index eeac8ba0d1..ac710efb7a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -27,7 +27,8 @@ Standalone mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
- Windows 10 Pro edition, version 1803 and later
-- Windows 11 and later
+- Windows 10 Education edition, version 1809 and later
+- Windows 11 Enterprise, Education, or Pro editions
## Enterprise-managed mode
@@ -36,7 +37,8 @@ You and your security department can define your corporate boundaries by explici
Enterprise-managed mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
-- Windows 11 and later
+- Windows 10 Education edition, version 1809 and later
+- Windows 11 Enterprise or Education editions
The following diagram shows the flow between the host PC and the isolated container.
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
index 190662392c..e27e886eea 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -34,6 +34,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or later
Windows 10 Professional edition, version 1809 or later
Windows 10 Professional for Workstations edition, version 1809 or later
Windows 10 Professional Education edition, version 1809 or later
Windows 10 Education edition, version 1809 or later
Windows 11 Education, Enterprise, and Professional editions |
+| Operating system | Windows 10 Enterprise or Education editions, version 1809 or later
Windows 10 Professional edition, version 1809 or later (only [standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported)
Windows 11 Education or Enterprise editions
Windows 11 Professional edition (only [Standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported) |
| Browser | Microsoft Edge |
| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md
index 4a758c6aa6..b31f712e0f 100644
--- a/windows/security/cloud-security/index.md
+++ b/windows/security/cloud-security/index.md
@@ -2,7 +2,7 @@
title: Windows and cloud security
description: Get an overview of cloud security features in Windows
ms.date: 08/02/2023
-ms.topic: conceptual
+ms.topic: overview
author: paolomatarazzo
ms.author: paoloma
---
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 84fafe0fa1..817a43769a 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -77,7 +77,6 @@
"application-security//**/*.yml": "vinaypamnani-msft",
"application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
"application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther1974",
- "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
"hardware-security/**/*.md": "vinaypamnani-msft",
"hardware-security/**/*.yml": "vinaypamnani-msft",
"information-protection/**/*.md": "vinaypamnani-msft",
@@ -98,8 +97,6 @@
"application-security//**/*.yml": "vinpa",
"application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
"application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther",
- "application-security/application-control/user-account-control/*.md": "paoloma",
- "application-security/application-control/user-account-control/*.yml": "paoloma",
"hardware-security//**/*.md": "vinpa",
"hardware-security//**/*.yml": "vinpa",
"information-protection/**/*.md": "vinpa",
@@ -224,14 +221,14 @@
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
- "application-security/application-control/windows-defender-application-control/**/*.md": "tier3",
+ "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
- "operating-system-security/network-security/windows-firewall/*.md": "tier3"
+ "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
}
},
"template": [],
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 89a10d9e0f..17cc685415 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -268,24 +268,24 @@ Value | Description
#### SecurityServicesConfigured
-This field indicates whether Windows Defender Credential Guard or memory integrity has been configured.
+This field indicates whether Credential Guard or memory integrity has been configured.
Value | Description
-|-
**0.** | No services are configured.
-**1.** | If present, Windows Defender Credential Guard is configured.
+**1.** | If present, Credential Guard is configured.
**2.** | If present, memory integrity is configured.
**3.** | If present, System Guard Secure Launch is configured.
**4.** | If present, SMM Firmware Measurement is configured.
#### SecurityServicesRunning
-This field indicates whether Windows Defender Credential Guard or memory integrity is running.
+This field indicates whether Credential Guard or memory integrity is running.
Value | Description
-|-
**0.** | No services running.
-**1.** | If present, Windows Defender Credential Guard is running.
+**1.** | If present, Credential Guard is running.
**2.** | If present, memory integrity is running.
**3.** | If present, System Guard Secure Launch is running.
**4.** | If present, SMM Firmware Measurement is running.
diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
index 15c8a64f62..35ef8a1826 100644
--- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
@@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
> [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/index.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> [!NOTE]
> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 101a50568b..1b41b86816 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,7 +2,7 @@
ms.date: 08/03/2023
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
-ms.topic: conceptual
+ms.topic: concept-article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 32967fd8b7..5a6e9fd2c9 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,64 +1,93 @@
---
-ms.date: 08/17/2017
+ms.date: 08/31/2023
title: Additional mitigations
-description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
-ms.topic: article
+description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
+ms.topic: reference
---
# Additional mitigations
-Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
+Credential Guard offers mitigations against attacks on derived credentials, preventing the use of stolen credentials elsewhere. However, devices can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using stolen credentials prior to the enablement of Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
-## Restricting domain users to specific domain-joined devices
+## Additional security qualifications
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+All devices that meet baseline protections for hardware, firmware, and software can use Credential Guard.\
+Devices that meet more qualifications can provide added protections to further reduce the attack surface.
+
+The following table list qualifications for improved security. We recommend meeting the additional qualifications to strengthen the level of security that Credential Guard can provide.
+
+|Protection |Requirements|Security Benefits|
+|---|---|---|
+|**Secure Boot configuration and management**|- BIOS password or stronger authentication must be supported - In the BIOS configuration, BIOS authentication must be set - There must be support for protected BIOS option to configure list of permitted boot devices (for example, *Boot only from internal hard drive*) and boot device order, overriding `BOOTORDER` modification made by the operating system | - Prevent other operating systems from starting
-Prevent changes to the BIOS settings|
+|**Hardware Rooted Trust Platform Secure Boot**|- Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby - Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification)|- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. - HSTI provides security assurance for correctly secured silicon and platform|
+|**Firmware Update through Windows Update**|- Firmware must support field updates through Windows Update and UEFI encapsulation update|Helps ensure that firmware updates are fast, secure, and reliable.|
+|**Securing Boot Configuration and Management**|- Required BIOS capabilities: ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software|- Enterprises can choose to allow proprietary EFI drivers/applications to run - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots|
+|**VBS enablement of No-Execute (NX) protection for UEFI runtime services**|- VBS enables NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet the following requirements: - Implement UEFI 2.6 `EFI_MEMORY_ATTRIBUTES_TABLE`. All UEFI runtime service memory (code and data) must be described by this table - PE sections must be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as `RO/NX` for configuration by the OS - All entries must include attributes `EFI_MEMORY_RO`, `EFI_MEMORY_XP`, or both. - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|- Vulnerabilities in UEFI runtime, if any, are blocked from compromising VBS (such as in functions like *UpdateCapsule* and *SetVariable*) - Reduces the attack surface to VBS from system firmware.|
+|**Firmware support for SMM protection**|- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware
- Blocks additional security attacks against SMM|
+
+> [!IMPORTANT]
+>
+> Regarding **VBS enablement of NX protection for UEFI runtime services**:
+>
+> - It only applies to UEFI runtime service memory, and not UEFI boot service memory
+> - The protection is applied by VBS on OS page tables
+> - Don't use sections that are both writable and executable
+> - Don't attempt to directly modify executable system memory
+> - Don't use dynamic code
+
+## Restrict domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
### Kerberos armoring
-Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+To enable Kerberos armoring for restricting domain users to specific domain-joined devices:
-**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
-### Protecting domain-joined device secrets
+### Protect domain-joined device secrets
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
+
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
- Windows devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
-#### Deploying domain-joined device certificates
+#### Deploy domain-joined device certificates
To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
-**Creating a new certificate template**
+**Create a new certificate template**
-1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
-2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
-3. Right-click the new template, and then click **Properties**.
-4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
-5. Click **Client Authentication**, and then click **Remove**.
-6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+1. From the Certificate Manager console, right-click **Certificate Templates > Manage**
+1. Right-click **Workstation Authentication > Duplicate Template**
+1. Right-click the new template, and then select **Properties**
+1. On the **Extensions** tab, select **Application Policies > Edit**
+1. Select **Client Authentication**, and then select **Remove**
+1. Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values:
- Name: Kerberos Client Auth
- Object Identifier: 1.3.6.1.5.2.3.4
-7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
-8. Under **Issuance Policies**, click**High Assurance**.
-9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+1. On the **Extensions** tab, select **Issuance Policies > Edit**
+1. Under **Issuance Policies**, select **High Assurance**
+1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box
-Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
-**Enrolling devices in a certificate**
+**Enroll devices in a certificate**
Run the following command:
+
```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@@ -88,7 +117,7 @@ From a Windows PowerShell command prompt, run the following command:
.\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"" -groupOU:"" -groupName:""
```
-### Restricting user sign-on
+### Restrict user sign-on
So we now have completed the following:
@@ -101,25 +130,25 @@ Authentication policies have the following requirements:
**Creating an authentication policy restricting users to the specific universal security group**
-1. Open Active Directory Administrative Center.
-1. Click **Authentication**, click **New**, and then click **Authentication Policy**.
-1. In the **Display name** box, enter a name for this authentication policy.
-1. Under the **Accounts** heading, click **Add**.
-1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
-1. Under the **User Sign On** heading, click the **Edit** button.
-1. Click **Add a condition**.
-1. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
-1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
-1. Click **OK** to close the **Edit Access Control Conditions** box.
-1. Click **OK** to create the authentication policy.
-1. Close Active Directory Administrative Center.
+1. Open Active Directory Administrative Center
+1. Select **Authentication > New > Authentication Policy**
+1. In the **Display name** box, enter a name for this authentication policy
+1. Under the **Accounts** heading, select **Add**
+1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then select **OK**
+1. Under the **User Sign On** heading, select the **Edit** button
+1. Select **Add a condition**
+1. In the **Edit Access Control Conditions** box, ensure that it reads **User > Group > Member of each > Value**, and then select **Add items**
+1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then select **OK**
+1. Select **OK** to close the **Edit Access Control Conditions** box
+1. Select **OK** to create the authentication policy
+1. Select Active Directory Administrative Center
> [!NOTE]
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
-#### Discovering authentication failures due to authentication policies
+#### Discover authentication failures due to authentication policies
-To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then select **Enable Log**.
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)).
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
new file mode 100644
index 0000000000..21c87bfeeb
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -0,0 +1,413 @@
+---
+title: Configure Credential Guard
+description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
+ms.date: 08/31/2023
+ms.collection:
+ - highpri
+ - tier2
+ms.topic: how-to
+---
+
+# Configure Credential Guard
+
+This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.
+
+## Default enablement
+
+Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
+
+If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings.
+
+While the default state of Credential Guard changed, system administrators can [enable](#enable-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article.
+
+> [!IMPORTANT]
+> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
+
+> [!NOTE]
+> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
+>
+> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard).
+
+## Enable Credential Guard
+
+Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised.
+
+To enable Credential Guard, you can use:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Configure Credential Guard with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Credential Guard | Select one of the options:
- **Enabled with UEFI lock**
- **Enabled without lock** |
+
+>[!IMPORTANT]
+> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `1`|
+| **Setting name**: Credential Guard Configuration
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
**Data type**: int
**Value**:
**Enabled with UEFI lock**: `1`
**Enabled without lock**: `2`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Configure Credential Guard with group policy
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Enabled** and select one of the options listed under the **Credential Guard Configuration** dropdown:
- **Enabled with UEFI lock**
- **Enabled without lock**|
+
+>[!IMPORTANT]
+> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Configure Credential Guard with registry settings
+
+To configure devices using the registry, use the following settings:
+
+| Setting |
+|--|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name**: `EnableVirtualizationBasedSecurity`
**Type**: `REG_DWORD`
**Value**: `1` (to enable Virtualization Based Security)|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name**: `RequirePlatformSecurityFeatures`
**Type**: `REG_DWORD`
**Value**:
`1` (to use Secure Boot)
`3` (to use Secure Boot and DMA protection) |
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**:
`1` (to enable Credential Guard with UEFI lock)
`2` (to enable Credential Guard without lock)|
+
+Restart the device to apply the change.
+
+> [!TIP]
+> You can enable Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
+
+---
+
+### Verify if Credential Guard is enabled
+
+Checking Task Manager if `LsaIso.exe` is running isn't a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods:
+
+- System Information
+- PowerShell
+- Event Viewer
+
+#### System Information
+
+You can use *System Information* to determine whether Credential Guard is running on a device.
+
+1. Select **Start**, type `msinfo32.exe`, and then select **System Information**
+1. Select **System Summary**
+1. Confirm that **Credential Guard** is shown next to **Virtualization-based Security Services Running**
+
+#### PowerShell
+
+You can use PowerShell to determine whether Credential Guard is running on a device. From an elevated PowerShell session, use the following command:
+
+```powershell
+(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+```
+
+The command generates the following output:
+
+- **0**: Credential Guard is disabled (not running)
+- **1**: Credential Guard is enabled (running)
+
+#### Event viewer
+
+Perform regular reviews of the devices that have Credential Guard enabled, using security audit policies or WMI queries.\
+Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filter the event sources for *WinInit*:
+
+:::row:::
+ :::column span="1":::
+ **Event ID**
+ :::column-end:::
+ :::column span="3":::
+ **Description**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ 13 (Information)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `14` (Information)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0**
+ ```
+ - The first variable: **0x1** or **0x2** means that Credential Guard is configured to run. **0x0** means that it's not configured to run.
+ - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `15` (Warning)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running;
+ continuing without Credential Guard.
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `16` (Warning)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Credential Guard (LsaIso.exe) failed to launch: [error code]
+ ```
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ `17`
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ Error reading Credential Guard (LsaIso.exe) UEFI configuration: [error code]
+ ```
+ :::column-end:::
+:::row-end:::
+
+The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
+
+:::row:::
+ :::column span="1":::
+ **Event ID**
+ :::column-end:::
+ :::column span="3":::
+ **Description**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ 51 (Information)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+ VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+ ```
+ :::column-end:::
+:::row-end:::
+
+If you're running with a TPM, the TPM PCR mask value is something other than 0.
+
+## Disable Credential Guard
+
+There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured:
+
+- Credential Guard running in a virtual machine can be [disabled by the host](#disable-credential-guard-for-a-virtual-machine)
+- If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock)
+- If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it:
+ - Microsoft Intune/MDM
+ - Group policy
+ - Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Disable Credential Guard with Intune
+
+If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting disables Credential Guard.
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Credential Guard | **Disabled** |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Credential Guard Configuration
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
**Data type**: int
**Value**: `0`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Disable Credential Guard with group policy
+
+If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting disables Credential Guard.
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Disable Credential Guard with registry settings
+
+If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys to disable it.
+
+| Setting |
+|-|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**: `0`|
+| **Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**: `0`|
+
+> [!NOTE]
+> Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0.
+
+Restart the device to apply the change.
+
+---
+
+For information on disabling Virtualization-based Security (VBS), see [disable Virtualization-based Security](#disable-virtualization-based-security).
+
+### Disable Credential Guard with UEFI lock
+
+If Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables.
+
+> [!NOTE]
+> This scenario requires physical presence at the machine to press a function key to accept the change.
+
+1. Follow the steps in [Disable Credential Guard](#disable-credential-guard)
+1. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
+
+ ```cmd
+ mountvol X: /s
+ copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+ bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+ bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+ mountvol X: /d
+ ```
+
+1. Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist.
+
+### Disable Credential Guard for a virtual machine
+
+From the host, you can disable Credential Guard for a virtual machine with the following command:
+
+```powershell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+## Disable Virtualization-based Security
+
+If you disable Virtualization-based Security (VBS), you'll automatically disable Credential Guard and other features that rely on VBS.
+
+> [!IMPORTANT]
+> Other security features beside Credential Guard rely on VBS. Disabling VBS may have unintended side effects.
+
+Use one of the following options to disable VBS:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Disable VBS with Intune
+
+If VBS is enabled via Intune and without UEFI Lock, disabling the same policy setting disables VBS.
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Enable Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `0`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Disable VBS with group policy
+
+Configure the policy used to enable VBS to **Disabled**.
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security** |Turn On Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Disable VBS with registry settings
+
+Delete the following registry keys:
+
+| Setting |
+|--|
+| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `EnableVirtualizationBasedSecurity` |
+| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `RequirePlatformSecurityFeatures`|
+
+> [!IMPORTANT]
+> If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery.
+
+Restart the device to apply the change.
+
+---
+
+If Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands:
+
+```cmd
+bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+bcdedit /set vsmlaunchtype off
+```
+
+## Next steps
+
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
+[INT-1]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
new file mode 100644
index 0000000000..26ee36124b
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -0,0 +1,235 @@
+---
+ms.date: 08/31/2023
+title: Considerations and known issues when using Credential Guard
+description: Considerations, recommendations and known issues when using Credential Guard.
+ms.topic: troubleshooting
+---
+
+# Considerations and known issues when using Credential Guard
+
+It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+
+## Wi-fi and VPN considerations
+
+When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+
+If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
+
+For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
+
+## Kerberos considerations
+
+When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
+Use constrained or resource-based Kerberos delegation instead.
+
+## Third party Security Support Providers considerations
+
+Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
+It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
+
+For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
+
+## Upgrade considerations
+
+As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
+
+Test scenarios required for operations in an organization before upgrading a device using Credential Guard.
+
+## Saved Windows credentials considerations
+
+*Credential Manager* allows you to store three types of credentials:
+
+- Windows credentials
+- Certificate-based credentials
+- Generic credentials
+
+Domain credentials that are stored in *Credential Manager* are protected with Credential Guard.
+
+Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network.
+
+The following considerations apply to the Credential Guard protections for Credential Manager:
+
+- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed*
+- Applications that extract Windows credentials fail
+- When credentials are backed up from a PC that has Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Credential Guard
+
+## TPM clearing considerations
+
+Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost.
+
+>[!WARNING]
+> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
+>
+> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data.
+
+As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
+
+>[!NOTE]
+> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup.
+
+### Windows credentials saved to Credential Manager
+
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+
+### Domain-joined device's automatically provisioned public key
+
+Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Also if any access control checks including authentication policies require devices to have either the `KEY TRUST IDENTITY (S-1-18-4)` or `FRESH PUBLIC KEY IDENTITY (S-1-18-3)` well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
+
+### Breaking DPAPI on domain-joined devices
+
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
+
+>[!IMPORTANT]
+> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
+
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
+If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
+
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
+
+|Credential Type | Behavior
+|---|---|---|
+| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
+| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. |
+
+Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
+
+#### Impact of DPAPI failures on Windows Information Protection
+
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
+## Known issues
+
+Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled.
+
+This article describes known issues when Credential Guard is enabled.
+
+### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2
+
+Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
+
+#### Affected devices
+
+Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+
+All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
+
+> [!TIP]
+> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> If it's present, the device enables Credential Guard after the update.
+>
+> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
+
+#### Cause of the issue
+
+Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:
+
+- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
+- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
+- MS-CHAP (only SSO is blocked)
+- WDigest (only SSO is blocked)
+- NTLM v1 (only SSO is blocked)
+
+> [!NOTE]
+> Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
+
+#### How to confirm the issue
+
+MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs:
+
+:::row:::
+ :::column span="1":::
+ **Event ID (type)**
+ :::column-end:::
+ :::column span="3":::
+ **Description**
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ 4013 (Warning)
+ :::column-end:::
+ :::column span="3":::
+ ```logging
+
+ ```
+ :::column-end:::
+:::row-end:::
+
+#### How to fix the issue
+
+We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication.
+
+For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
+
+> [!TIP]
+> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
+>
+> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
+
+### Issues with third-party applications
+
+The following issue affects MSCHAPv2:
+
+- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
+
+The following issue affects the Java GSS API. See the following Oracle bug database article:
+
+- [JDK-8161921: Credential Guard doesn't allow sharing of TGT with Java](https://bugs.java.com/bugdatabase/view_bug?bug_id=8161921)
+
+When Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements).
+
+The following issue affects McAfee Application and Change Control (MACC):
+
+- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869)
+
+The following issue affects Citrix applications:
+
+- Windows machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
+
+> [!NOTE]
+> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
+>
+> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes).
+
+#### Vendor support
+
+The following products and services don't support Credential Guard:
+
+- [Check Point Endpoint Security Client support for Microsoft Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+- [*VMware Workstation and Device/Credential Guard aren't compatible* error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
+- [ThinkPad support for Hypervisor-Protected Code Integrity and Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)
+- [Windows devices with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+
+>[!IMPORTANT]
+>This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Credential Guard on systems that run a specific version of Windows. Specific computer system models may be incompatible with Credential Guard.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
deleted file mode 100644
index d48686101c..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-ms.date: 01/06/2023
-title: Considerations when using Windows Defender Credential Guard
-description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard.
-ms.topic: article
----
-
-# Considerations when using Windows Defender Credential Guard
-
-It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
-
-## Wi-fi and VPN considerations
-
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\
-If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
-
-For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
-
-## Kerberos considerations
-
-When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
-Use constrained or resource-based Kerberos delegation instead.
-
-## Third party Security Support Providers considerations
-
-Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
-It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
-
-For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
-
-## Upgrade considerations
-
-As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
-
-Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
-
-## Saved Windows credentials protected
-
-Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials:
-
-- Windows credentials
-- Certificate-based credentials
-- Generic credentials
-
-Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network.
-
-The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-
-- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.*
-- Applications that extract Windows credentials fail
-- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials
-
-## Clearing TPM considerations
-
-Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost.
-
->[!WARNING]
-> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
->
-> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data.
-
-As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
-
->[!NOTE]
-> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup.
-
-### Windows credentials saved to Credential Manager
-
-Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
-
-### Domain-joined device's automatically provisioned public key
-
-Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-
-Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-
-Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
-
-### Breaking DPAPI on domain-joined devices
-
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
-
->[!IMPORTANT]
-> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
-
-Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
-If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
-
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
-
-|Credential Type | Behavior
-|---|---|---|
-| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
-| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. |
-
-Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
-
-#### Impact of DPAPI failures on Windows Information Protection
-
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
-
-**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
deleted file mode 100644
index f6fafc39c0..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-ms.date: 08/17/2017
-title: How Windows Defender Credential Guard works
-description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
-ms.topic: conceptual
----
-
-# How Windows Defender Credential Guard works
-
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
-
-For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-
-When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
-
-Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
-
-
-
-## See also
-
-**Related videos**
-
-[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
deleted file mode 100644
index f05c26620f..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-ms.date: 11/28/2022
-title: Windows Defender Credential Guard - Known issues
-description: Windows Defender Credential Guard - Known issues in Windows Enterprise
-ms.topic: article
----
-# Windows Defender Credential Guard: Known issues
-
-Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
-
-## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2**
-
-### Symptoms of the issue:
-Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running.
-
-### Affected devices:
-Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements).
-
-\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement.
-
-> [!TIP]
-> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading:
-> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard).
-
-### Why this is happening:
-Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include:
- - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
- - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
- - MS-CHAP (only SSO is blocked)
- - WDigest (only SSO is blocked)
- - NTLM v1 (only SSO is blocked)
-
-Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
-
-> [!NOTE]
-> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error:
- >
- > **Event ID 4013** (Warning)
- > ```
- > id="NTLMv1BlockedByCredGuard"
- > value="Attempt to use NTLMv1 failed.
- > Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826."
- > />
- > ```
- >
- > **Event ID 4014** (Error)
- > ```
- > id="NTLMGetCredentialKeyBlockedByCredGuard"
- > value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2"
- > />
- > ```
-
-### Options to fix the issue:
-
-Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication.
-
-For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring.
-
-> [!TIP]
-> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM.
-
-## Known issues involving third-party applications
-
-The following issue affects MSCHAPv2:
-
-- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
-
-The following issue affects the Java GSS API. See the following Oracle bug database article:
-
-- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-
-When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
-
-The following issue affects Cisco AnyConnect Secure Mobility Client:
-
-- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)
-
-The following issue affects McAfee Application and Change Control (MACC):
-
-- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1)
-
-The following issue affects Citrix applications:
-
-- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [Note 1](#bkmk_note1)
-
-
-
-> [!NOTE]
-> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
->
-> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes).
-
-## Vendor support
-
-For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
-
-Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions:
-
-- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009)
-
-- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
-
-- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
-
-- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)
-
-- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
-
-This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
-
-Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
-
-## Previous known issues that have been fixed
-
-The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
-
-- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
-
- ```console
- Task Scheduler failed to log on '\Test'.
- Failure occurred in 'LogonUserExEx'.
- User Action: Ensure the credentials for the task are correctly specified.
- Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
- ```
-
-- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
-
- ```console
- Log Name: Microsoft-Windows-NTLM/Operational
- Source: Microsoft-Windows-Security-Netlogon
- Event ID: 8004
- Task Category: Auditing NTLM
- Level: Information
- Description:
- Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
- Secure Channel name:
- User name:
- @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
- Domain name: NULL
- ```
-
- - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
- - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
-
-The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
-
-- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
-
- This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
-
- - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
- - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
deleted file mode 100644
index 086a008176..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ /dev/null
@@ -1,304 +0,0 @@
----
-title: Manage Windows Defender Credential Guard
-description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry.
-ms.date: 11/23/2022
-ms.collection:
- - highpri
- - tier2
-ms.topic: article
----
-
-# Manage Windows Defender Credential Guard
-
-## Default Enablement
-
-Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
-
-Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
-
-### Requirements for automatic enablement
-
-Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements:
-
-|Component|Requirement|
-|---|---|
-|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**|
-|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
-|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
-
-> [!NOTE]
-> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
-
-> [!NOTE]
-> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro).
->
-> To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard).
-
-## Enable Windows Defender Credential Guard
-
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
-The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
-
-> [!NOTE]
-> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
-
-### Enable Windows Defender Credential Guard by using Group Policy
-
-You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
-
-1. Select **Turn On Virtualization Based Security**, and then select the **Enabled** option.
-
-1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
-
-1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
-
-1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md).
-
- :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting.":::
-
-1. Select **OK**, and then close the Group Policy Management Console.
-
-To enforce processing of the group policy, you can run `gpupdate /force`.
-
-### Enable Windows Defender Credential Guard by using Microsoft Intune
-
-1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
-
-1. Select **Configuration Profiles**.
-
-1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
-
- 1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings.
-
-> [!NOTE]
-> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
-
-> [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
-
-### Enable Windows Defender Credential Guard by using the registry
-
-If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems.
-
-#### Add the virtualization-based security features
-
-Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped.
-
-If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
-To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-
-> [!NOTE]
-> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
-
-##### Add the virtualization-based security features by using Programs and Features
-
-1. Open the Programs and Features control panel.
-
-1. Select **Turn Windows feature on or off**.
-
-1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-
-1. Select the **Isolated User Mode** check box at the top level of the feature selection.
-
-1. Select **OK**.
-
-##### Add the virtualization-based security features to an offline image by using DISM
-
-1. Open an elevated command prompt.
-
-1. Add the Hyper-V Hypervisor by running the following command:
-
- ```cmd
- dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
- ```
-
-1. Add the Isolated User Mode feature by running the following command:
-
- ```cmd
- dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
- ```
-
- > [!NOTE]
- > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
-
-> [!TIP]
-> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-#### Enable virtualization-based security and Windows Defender Credential Guard
-
-1. Open Registry Editor.
-
-1. Enable virtualization-based security:
-
- 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`.
-
- 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
-
- 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
-
-1. Enable Windows Defender Credential Guard:
-
- 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`.
-
- 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
-
-1. Close Registry Editor.
-
-> [!NOTE]
-> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
-
-### Review Windows Defender Credential Guard performance
-
-#### Is Windows Defender Credential Guard running?
-
-You can view System Information to check that Windows Defender Credential Guard is running on a PC.
-
-1. Select **Start**, type **msinfo32.exe**, and then select **System Information**.
-
-1. Select **System Summary**.
-
-1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
-
- :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe).":::
-
-> [!NOTE]
-> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
-
-- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible.
-
-- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
-
- - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-
- - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
-
- - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
-
- - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
-
- - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard.
-
- - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
-
- - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
-
-- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0.
-
-- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
-
- ```powershell
- (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
- ```
-
- This command generates the following output:
-
- - **0**: Windows Defender Credential Guard is disabled (not running)
-
- - **1**: Windows Defender Credential Guard is enabled (running)
-
- > [!NOTE]
- > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
-
-## Disable Windows Defender Credential Guard
-
-Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
-
-If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
-
-If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
-
-Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys).
-
-Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine).
-
-For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security).
-
-### Disabling Windows Defender Credential Guard using Group Policy
-
-If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.
-
-1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled":
-
- :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled.":::
-
-1. Restart the machine.
-
-### Disabling Windows Defender Credential Guard using Registry Keys
-
-If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
-
-1. Change the following registry settings to 0:
-
- - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
-
- - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
-
- > [!NOTE]
- > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0.
-
-1. Restart the machine.
-
-### Disabling Windows Defender Credential Guard with UEFI Lock
-
-If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change.
-
-1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled".
-
-1. Change the following registry settings to 0:
-
- - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
-
- - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
-
-1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
-
- ```cmd
- mountvol X: /s
- copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
- bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
- bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
- mountvol X: /d
- ```
-
-1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine.
-
-### Disable Windows Defender Credential Guard for a virtual machine
-
-From the host, you can disable Windows Defender Credential Guard for a virtual machine:
-
-```powershell
-Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
-```
-
-## Disabling Virtualization-Based Security
-
-Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS.
-
-> [!IMPORTANT]
-> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects.
-
-1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled".
-
-1. Delete the following registry settings:
-
- - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity`
-
- - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures`
-
- > [!IMPORTANT]
- > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-
-1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above:
-
- >
- > ```cmd
- > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
- > bcdedit /set vsmlaunchtype off
- > ```
-
-1. Restart the PC.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
deleted file mode 100644
index 6719b3db77..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Windows Defender Credential Guard protection limits
-description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
-ms.date: 08/17/2017
-ms.topic: article
----
-# Windows Defender Credential Guard protection limits
-
-Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
-
-- Software that manages credentials outside of Windows feature protection
-- Local accounts and Microsoft Accounts
-- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS.
-- Key loggers
-- Physical attacks
-- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
-- Third-party security packages
-- Digest and CredSSP credentials
- - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
-- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
-- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
-- Windows logon cached password verifiers (commonly called "cached credentials")
-don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
-
-## See also
-
-**Deep Dive into Windows Defender Credential Guard: Related videos**
-
-[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322)
-> [!NOTE]
-> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
deleted file mode 100644
index e8e539e520..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Windows Defender Credential Guard requirements
-description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
-ms.date: 12/27/2021
-ms.topic: article
----
-
-# Windows Defender Credential Guard requirements
-
-For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
-
-## Hardware and software requirements
-
-To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
-
-- Support for Virtualization-based security (required)
-- Secure boot (required)
-- Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
-- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
-
-The Virtualization-based security requires:
-
-- 64-bit CPU
-- CPU virtualization extensions plus extended page tables
-- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
-
-### Windows Defender Credential Guard deployment in virtual machines
-
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-
-#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
-
-- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
- - TPM is not a requirement, but we recommend that you implement TPM.
-
-For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/).
-
-For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](/windows/access-protection/remote-credential-guard#hardware-and-software-requirements).
-
-## Application requirements
-
-When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
-
-> [!WARNING]
-> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time.
-> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
-
-> [!NOTE]
-> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
-
-Applications will break if they require:
-
-- Kerberos DES encryption support
-- Kerberos unconstrained delegation
-- Extracting the Kerberos TGT
-- NTLMv1
-
-Applications will prompt and expose credentials to risk if they require:
-
-- Digest authentication
-- Credential delegation
-- MS-CHAPv2
-
-Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process.
-
-Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
-
-[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
-
-## Security considerations
-
-All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
-Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
-The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
->
-> If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations).
-
-### Baseline protections
-
-|Baseline Protections|Description|Security benefits
-|---|---|---|
-|Hardware: **64-bit CPU** |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
-|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
-|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
-|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
-|Firmware: **Secure firmware update process**|**Requirements**: - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
-
-### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
-
-|Protections for Improved Security|Description|
-|---|---|
-|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: - VT-D or AMD Vi IOMMU **Security benefits**: - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
-|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: - Secure MOR, revision 2 implementation|
-
-### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
-
-|Protections for Improved Security|Description|Security Benefits|
-|---|---|---|
-|Firmware: **Hardware Rooted Trust Platform Secure Boot**|**Requirements**: - Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification).|Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. - HSTI provides additional security assurance for correctly secured silicon and platform.|
-|Firmware: **Firmware Update through Windows Update**|**Requirements**: - Firmware must support field updates through Windows Update and UEFI encapsulation update.|Helps ensure that firmware updates are fast, secure, and reliable.|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.|- Enterprises can choose to allow proprietary EFI drivers/applications to run. - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.|
-
-### 2017 Additional security qualifications starting with Windows 10, version 1703
-
-The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
-
-|Protections for Improved Security|Description|Security Benefits
-|---|---|---|
-|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**: - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements: - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. - PE sections must be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable. (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) - Reduces the attack surface to VBS from system firmware.|
-|Firmware: **Firmware support for SMM protection**|**Requirements**: - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) - Reduces the attack surface to VBS from system firmware. - Blocks additional security attacks against SMM.|
-
-> [!IMPORTANT]
->
-> Regarding **VBS enablement of NX protection for UEFI runtime services**:
->
-> - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
->
-> - This protection is applied by VBS on OS page tables.
->
-> Please also note the following:
->
-> - Do not use sections that are both writable and executable
->
-> - Do not attempt to directly modify executable system memory
->
-> - Do not use dynamic code
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
deleted file mode 100644
index 519ec863c8..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Protect derived domain credentials with Windows Defender Credential Guard
-description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.date: 11/22/2022
-ms.topic: article
-ms.collection:
- - highpri
- - tier2
----
-
-# Protect derived domain credentials with Windows Defender Credential Guard
-
-Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
-
-By enabling Windows Defender Credential Guard, the following features and solutions are provided:
-
-- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
-- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
-- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
-
-> [!NOTE]
-> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
-
-## Related topics
-
-- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
-- [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382)
-- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11))
-- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10))
-- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
-- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode)
-- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel)
-- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert)
-- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert)
-- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin)
diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
new file mode 100644
index 0000000000..69eef9c3f9
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -0,0 +1,42 @@
+---
+ms.date: 08/31/2023
+title: How Credential Guard works
+description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
+ms.topic: conceptual
+---
+
+# How Credential Guard works
+
+Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment.
+
+Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
+
+:::image type="content" source="images/credguard.png" alt-text="Diagram of the Credential Guard architecture.":::
+
+## Credential Guard protection limits
+
+Some ways to store credentials aren't protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS
+- Key loggers
+- Physical attacks
+- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization
+- Third-party security packages
+- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
+ > [!CAUTION]
+ > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well
+- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected
+- When Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials
+- When Credential Guard is enabled on a VM, it protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host
+- Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available
+
+## Next steps
+
+- Learn [how to configure Credential Guard](configure.md)
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png
deleted file mode 100644
index bfb042a49d..0000000000
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png and /dev/null differ
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp.png b/windows/security/identity-protection/credential-guard/images/credguard-gp.png
deleted file mode 100644
index ad34b6deb3..0000000000
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp.png and /dev/null differ
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png
deleted file mode 100644
index c9737e3236..0000000000
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and /dev/null differ
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
new file mode 100644
index 0000000000..710f148343
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -0,0 +1,101 @@
+---
+title: Credential Guard overview
+description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
+ms.date: 08/31/2023
+ms.topic: overview
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Credential Guard overview
+
+Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.
+
+Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*.
+
+When enabled, Credential Guard provides the following benefits:
+
+- **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials
+- **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
+- **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS
+
+> [!NOTE]
+> While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures.
+
+> [!IMPORTANT]
+> Starting in Windows 11, version 22H2, VBS and Credential Guard are enabled by default on all devices that meet the system requirements.\
+> For information about known issues related to the default enablement of Credential Guard, see [Credential Guard: Known Issues](considerations-known-issues.md).
+
+## System requirements
+
+For Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements.
+
+Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats.
+
+### Hardware and software requirements
+
+Credential Guard requires the features:
+
+- Virtualization-based security (VBS)
+ >[!NOTE]
+ > VBS has different requirements to enable it on different hardware platforms. For more information, see [Virtualization-based Security requirements](/windows-hardware/design/device-experiences/oem-vbs)
+- [Secure Boot](../../operating-system-security/system-security/secure-the-windows-10-boot-process.md#secure-boot)
+
+While not required, the following features are recommended to provide additional protections:
+
+- Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware
+- UEFI lock, as it prevents attackers from disabling Credential Guard with a registry key change
+
+For detailed information on protections for improved security that are associated with hardware and firmware options, see [additional security qualifications](additional-mitigations.md#additional-security-qualifications).
+
+#### Credential Guard in virtual machines
+
+Credential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When Credential Guard is enabled on a VM, secrets are protected from attacks *inside* the VM. Credential Guard doesn't provide protection from privileged system attacks originating from the host.
+
+The requirements to run Credential Guard in Hyper-V virtual machines are:
+
+- The Hyper-V host must have an IOMMU
+- The Hyper-V virtual machine must be generation 2
+
+> [!NOTE]
+> Credential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on generation 2 VMs only.
+
+[!INCLUDE [credential-guard](../../../../includes/licensing/credential-guard.md)]
+
+## Application requirements
+
+When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*.
+
+Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
+
+> [!WARNING]
+> Enabling Credential Guard on domain controllers isn't recommended.
+> Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
+
+> [!NOTE]
+> Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
+
+Applications break if they require:
+
+- Kerberos DES encryption support
+- Kerberos unconstrained delegation
+- Extracting the Kerberos TGT
+- NTLMv1
+
+Applications prompt and expose credentials to risk if they require:
+
+- Digest authentication
+- Credential delegation
+- MS-CHAPv2
+
+Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
+
+Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.
+
+## Next steps
+
+- Learn [how Credential Guard works](how-it-works.md)
+- Learn [how to configure Credential Guard](configure.md)
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml
index 3661af7b0e..a4b737a9ec 100644
--- a/windows/security/identity-protection/credential-guard/toc.yml
+++ b/windows/security/identity-protection/credential-guard/toc.yml
@@ -1,17 +1,11 @@
items:
-- name: Protect derived domain credentials with Credential Guard
- href: credential-guard.md
+- name: Overview
+ href: index.md
- name: How Credential Guard works
- href: credential-guard-how-it-works.md
-- name: Requirements
- href: credential-guard-requirements.md
-- name: Manage Credential Guard
- href: credential-guard-manage.md
-- name: Credential Guard protection limits
- href: credential-guard-protection-limits.md
-- name: Considerations when using Credential Guard
- href: credential-guard-considerations.md
+ href: how-it-works.md
+- name: Configure Credential Guard
+ href: configure.md
- name: Additional mitigations
href: additional-mitigations.md
-- name: Known issues
- href: credential-guard-known-issues.md
\ No newline at end of file
+- name: Considerations and known issues
+ href: considerations-known-issues.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 47f0d59394..e384f47efe 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,7 +1,7 @@
---
title: Enterprise certificate pinning
description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
-ms.topic: conceptual
+ms.topic: concept-article
ms.date: 05/24/2023
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index dc32004a43..64d320047f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business cloud-only deployment
description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
ms.date: 06/23/2021
ms.topic: how-to
+ms.custom: has-azure-ad-ps-ref
---
# Cloud-only deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 744816323d..dbdfe3cab6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index b3059ee0c0..8a414df385 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -4,7 +4,7 @@ description: Configure Windows Hello for Business Policy settings for Windows He
ms.collection:
- highpri
- tier1
-ms.date: 12/12/2022
+ms.date: 09/07/2023
ms.topic: tutorial
---
# Configure Windows Hello for Business group policy settings - on-premises certificate Trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 455d4055a2..220079357a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,7 +1,7 @@
---
title: Validate Active Directory prerequisites in an on-premises certificate trust
description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index c7b67abec3..83576f884f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,7 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
-ms.date: 12/13/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 6174ed348a..e98fede731 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,7 +1,7 @@
---
title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model
description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 70a5ee4feb..04edf25531 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business deployment guide for the on-premises certificate trust model
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 35b4058caa..aef79952c9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -42,7 +42,7 @@ The trust model determines how you want users to authenticate to the on-premises
- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!Note]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
Following are the various deployment guides and models included in this topic:
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index b7b8a64228..7882589fd0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -22,7 +22,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to
### Resolve PIN Reset allowed domains issue
-To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices).
+To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Azure AD joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
## Hybrid key trust sign in broken due to user public key deletion
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 04b493aa73..ca9a3ac20d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -257,4 +257,4 @@ sections:
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
- Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
+ Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index e2c5e5c7c4..ab35e717f2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,166 +1,119 @@
---
-title: Pin Reset
-description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
+title: PIN reset
+description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN.
ms.collection:
- highpri
- tier1
-ms.date: 07/03/2023
+ms.date: 08/15/2023
ms.topic: how-to
---
# PIN reset
-Windows Hello for Business provides the capability for users to reset forgotten PINs using the *I forgot my PIN* link from the Sign-in options page in *Settings* or from the Windows lock screen. Users are required to authenticate and complete multi-factor authentication to reset their PIN.
+This article describes how *Microsoft PIN reset service* enables your users to recover a forgotten Windows Hello for Business PIN.
-There are two forms of PIN reset:
+## Overview
-- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
-- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature.
-## Using PIN reset
+Windows Hello for Business provides the capability for users to reset forgotten PINs. There are two forms of PIN reset:
-There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
+- *Destructive PIN reset*: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration
+- *Non-destructive PIN reset*: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature
-Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
-
->[!IMPORTANT]
->For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
-
-### Reset PIN from Settings
-
-1. Sign-in to Windows 10 using an alternate credential.
-1. Open **Settings**, select **Accounts** > **Sign-in options**.
-1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions.
-
-### Reset PIN above the Lock Screen
-
-For Azure AD-joined devices:
-
-1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
-1. Select **I forgot my PIN** from the PIN credential provider.
-1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key).
-1. Follow the instructions provided by the provisioning process.
-1. When finished, unlock your desktop using your newly created PIN.
-
-For Hybrid Azure AD-joined devices:
-
-1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
-1. Select **I forgot my PIN** from the PIN credential provider.
-1. Enter your password and press enter.
-1. Follow the instructions provided by the provisioning process.
-1. When finished, unlock your desktop using your newly created PIN.
-
-> [!NOTE]
-> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
-
-You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
-
-## Non-Destructive PIN reset
+## How non-destructive PIN reset works
**Requirements:**
-- Azure Active Directory
-- Windows Enterprise and Pro editions. There's no licensing requirement for this feature.
-- Hybrid Windows Hello for Business deployment
-- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
+- Hybrid or cloud-only Windows Hello for Business deployments
+- Windows Enterprise, Education and Pro editions. There's no licensing requirement for this feature
-When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
+When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
-Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
+Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN reset service, which enables users to reset their forgotten PIN without requiring re-enrollment.
->[!IMPORTANT]
-> The Microsoft PIN Reset service is not currently available in Azure Government.
+The following table compares destructive and non-destructive PIN reset:
-### Summary
-
-|Category|Destructive PIN Reset|Non-Destructive PIN Reset|
+|Category|Destructive PIN reset|Non-Destructive PIN reset|
|--- |--- |--- |
-|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Windows editions and versions**| Windows Enterprise and Pro editions.|
+|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
-|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
-|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
-|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
+|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
+|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for hybrid Azure AD joined and Azure AD Joined devices.|
+|**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.|
|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
-### Onboarding the Microsoft PIN reset service to your Intune tenant
+## Enable the Microsoft PIN Reset Service in your Azure AD tenant
-> The **Microsoft PIN Reset Service** is not currently available in Azure Government.
+Before you can use non-destructive PIN reset, you must register two applications in your Azure Active Directory tenant:
-### Enable the Microsoft PIN Reset Service in your Azure AD tenant
+- Microsoft Pin Reset Service Production
+- Microsoft Pin Reset Client Production
-Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:
+To register the applications, follow these steps:
-- PIN Reset Service
-- PIN Reset Client
+:::row:::
+ :::column span="3":::
+ 1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pinreset/pin-reset-service-prompt.png" lightbox="images/pinreset/pin-reset-service-prompt.png" border="true":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pinreset/pin-reset-client-prompt.png" lightbox="images/pinreset/pin-reset-client-prompt.png" border="true":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization.
+ >[!NOTE]
+ >After accepance, the redirect page will show a blank page. This is a known behavior.
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true":::
+ :::column-end:::
+:::row-end:::
-#### Connect Azure Active Directory with the PIN Reset Service
+### Confirm that the two PIN Reset service principals are registered in your tenant
-1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
-1. After you've logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization.
- 
-
-#### Connect Azure Active Directory with the PIN Reset Client
-
-1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
-1. After you've logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization.
- 
-
-#### Confirm that the two PIN Reset service principals are registered in your tenant
-
-1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com).
-1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**.
-1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list.
+1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
+1. Select **Azure Active Directory > Applications > Enterprise applications**
+1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list
:::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png":::
-### Enable PIN Recovery on your devices
+## Enable PIN recovery on the clients
-Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP).
+To enable PIN recovery on the clients, you can use:
+
+- Microsoft Intune/MDM
+- Group policy
+
+The following instructions provide details how to configure your devices. Select the option that best suits your needs.
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
-You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Configuration profiles** > **Create profile**.
-1. Enter the following properties:
- - **Platform**: Select **Windows 10 and later**.
- - **Profile type**: Select **Settings catalog**.
-1. Select **Create**.
-1. In **Basics**, enter the following properties:
- - **Name**: Enter a descriptive name for the profile.
- - **Description**: Enter a description for the profile. This setting is optional, but recommended.
-1. Select **Next**.
-1. In **Configuration settings**, select **Add settings**.
-1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**.
-1. Configure **Enable Pin Recovery** to **true**.
-1. Select **Next**.
-1. In **Scope tags**, assign any applicable tags (optional).
-1. Select **Next**.
-1. In **Assignments**, select the security groups that will receive the policy.
-1. Select **Next**.
-1. In **Review + create**, review your settings and select **Create**.
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello For Business** | Enable Pin Recovery | True |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-> 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
+>
+> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+> 1. Select **Endpoint security > Account protection > Create Policy**
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1].
-You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO).
-
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
-1. Edit the Group Policy object from Step 1.
-1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
-1. Close the Group Policy Management Editor to save the Group Policy object.
-
-#### [:::image type="icon" source="../../images/icons/windows-os.svg"::: **CSP**](#tab/CSP)
-
-You can configure Windows devices to use the **Microsoft PIN Reset Service** using the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp).
-
-- OMA-URI: `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`
-- Data type: **Boolean**
-- Value: **True**
+| OMA-URI |Data type| Value|
+|-|-|-|
+| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True |
>[!NOTE]
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
@@ -169,6 +122,17 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
GET https://graph.microsoft.com/v1.0/organization?$select=id
```
+#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+|**Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**| Use PIN Recovery | Enabled |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
---
#### Confirm that PIN Recovery policy is enforced on the devices
@@ -177,7 +141,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
**Sample User state Output for Destructive PIN Reset**
-```console
+```cmd
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
@@ -196,7 +160,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
**Sample User state Output for Non-Destructive PIN Reset**
-```console
+```cmd
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
@@ -213,49 +177,72 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
+----------------------------------------------------------------------+
```
-## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices
+## Configure allowed URLs for federated identity providers on Azure AD joined devices
-**Applies to:**
+**Applies to:** Azure AD joined devices
-- Azure AD joined devices
+PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
+If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
-The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
-### Configure Web Sign-in Allowed URLs using Microsoft Intune
+| Category | Setting name | Value |
+|--|--|--|
+| **Authentication** | Configure Web Sign In Allowed Urls | Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**|
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Select **Devices** > **Configuration profiles** > **Create profile**
-1. Enter the following properties:
- - **Platform**: Select **Windows 10 and later**
- - **Profile type**: Select **Templates**
- - In the list of templates that is loaded, select **Custom** > **Create**
-1. In **Basics**, enter the following properties:
- - **Name**: Enter a descriptive name for the profile
- - **Description**: Enter a description for the profile. This setting is optional, but recommended
-1. Select **Next**
-1. In **Configuration settings**, select **Add** and enter the following settings:
- - Name: **Web Sign In Allowed URLs**
- - Description: **(Optional) List of domains that are allowed during PIN reset flows**
- - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
- - Data type: **String**
- - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**
- :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png":::
-1. Select **Save** > **Next**
-1. In **Assignments**, select the security groups that will receive the policy
-1. Select **Next**
-1. In **Applicability Rules**, select **Next**
-1. In **Review + create**, review your settings and select **Create**
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-2].
+
+| Setting |
+|--------|
+| OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` Data type: String Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**|
> [!NOTE]
-> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
+> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
-## Related articles
+## Use PIN reset
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+Destructive and non-destructive PIN reset scenarios use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen with the *PIN credential provider*. Users must authenticate and complete multi-factor authentication to reset their PIN. After PIN reset is complete, users can sign in using their new PIN.
+
+>[!IMPORTANT]
+>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
+
+### Reset PIN from Settings
+
+1. Sign-in to Windows 10 using an alternate credential
+1. Open **Settings > Accounts > Sign-in options**
+1. Select **PIN (Windows Hello) > I forgot my PIN** and follow the instructions
+
+### Reset PIN from the lock screen
+
+For Azure AD-joined devices:
+
+1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon
+1. Select **I forgot my PIN** from the PIN credential provider
+1. Select an authentication option from the list of presented options. This list is based on the different authentication methods enabled in your tenant (like Password, PIN, Security key)
+1. Follow the instructions provided by the provisioning process
+1. When finished, unlock your desktop using your newly created PIN
+
+:::image type="content" alt-text="Animation showing the PIN reset experience from the lock screen." source="images/pinreset/pin-reset.gif" border="false":::
+
+For Hybrid Azure AD-joined devices:
+
+1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon
+1. Select **I forgot my PIN** from the PIN credential provider
+1. Enter your password and press enter
+1. Follow the instructions provided by the provisioning process
+1. When finished, unlock your desktop using your newly created PIN
+
+> [!NOTE]
+> Key trust on hybrid Azure AD-joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
+
+You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+
+
+
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
+[INT-1]: /mem/intune/configuration/settings-catalog
+[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
+[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 736e333462..58e5c14636 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,10 +1,10 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-ms.date: 02/24/2021
+ms.date: 09/01/2023
ms.topic: conceptual
ms.collection:
- - tier1
+- tier1
---
# Remote Desktop
@@ -14,7 +14,7 @@ ms.collection:
- Hybrid and On-premises Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection.
+Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection.
Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release.
@@ -30,31 +30,20 @@ The ability for users to authenticate to a remote desktop session using their Wi
### How does it work
-Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
+Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
-A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) stores the key storage provider used to create the key (remember the certificate contains the public key).
-This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
+The same concept applies to Windows Hello for Business, except that the keys are created using the Microsoft Passport KSP. The user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide the complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers direct the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
-Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN.
+Windows Hello for Business emulates a smart card for application compatibility, and the Microsoft Passport KSP prompts the user for their biometric gesture or PIN.
### Compatibility
-Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
> [!div class="mx-imgBorder"]
> 
> [!IMPORTANT]
-> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 219e82d35c..ee7ba7e558 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,7 +2,7 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.date: 2/15/2022
-ms.topic: article
+ms.topic: overview
---
# Windows Hello for Business Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index b1338f11e5..8c6856a2da 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,7 +2,7 @@
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.date: 10/08/2018
-ms.topic: article
+ms.topic: glossary
---
# Technology and terms
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 93bfd6d56a..a39e31f06f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,7 +2,7 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.date: 05/05/2018
-ms.topic: article
+ms.topic: overview
---
# How Windows Hello for Business works in Windows Devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index bcd910f606..b512d1a236 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -2,7 +2,7 @@
title: Configure single sign-on (SSO) for Azure AD joined devices
description: Learn how to configure single sign-on to on-premises resources for Azure AD-joined devices, using Windows Hello for Business.
ms.date: 12/30/2022
-ms.topic: article
+ms.topic: how-to
---
# Configure single sign-on for Azure AD joined devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
index d1059a1570..4765ae8d4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -174,7 +174,7 @@ If you deployed Windows Hello for Business using the key trust model, and want t
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
-1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
+1. For Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index be437d043f..cf93d23831 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/12/2022
+ms.date: 09/07/2023
title: Prepare and deploy Active Directory Federation Services in an on-premises key trust
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model.
appliesto:
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 3fd25ec607..ed52f1c594 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/12/2022
+ms.date: 09/07/2023
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
appliesto:
@@ -20,7 +20,7 @@ If you configure the Group Policy for computers, all users that sign-in to those
The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business .
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
## Create the GPO
@@ -105,4 +105,4 @@ Before you continue with the deployment, validate your deployment progress by re
## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
\ No newline at end of file
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 19fe709d3f..2537513f37 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,7 +1,7 @@
---
title: Validate Active Directory prerequisites in an on-premises key trust
description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 4d089851ff..61aece97e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,7 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index e2f7510aac..ab932d9a99 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,7 +1,7 @@
---
title: Configure and validate the Public Key Infrastructure in an on-premises key trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 576ffdb0a4..2efe441a67 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -5,7 +5,7 @@ ms.collection:
- highpri
- tier1
ms.date: 2/15/2022
-ms.topic: article
+ms.topic: how-to
---
# Manage Windows Hello for Business in your organization
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 3363f0ae55..8375e0ebd3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -2,7 +2,7 @@
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
ms.date: 09/16/2020
-ms.topic: article
+ms.topic: overview
---
# Planning a Windows Hello for Business Deployment
@@ -88,7 +88,7 @@ The key trust type does not require issuing authentication certificates to end u
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
#### Device registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index fc9083049d..96c1df3462 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -2,7 +2,7 @@
title: Prepare people to use Windows Hello
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.date: 08/19/2018
-ms.topic: article
+ms.topic: end-user-help
---
# Prepare people to use Windows Hello
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 0963b04163..24b362c125 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,8 +1,8 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.date: 03/09/2023
-ms.topic: article
+ms.date: 09/07/2023
+ms.topic: get-started
---
# Windows Hello for Business Videos
## Overview of Windows Hello for Business and Features
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png
deleted file mode 100644
index df2fc5634a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist-expanded.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png
deleted file mode 100644
index 35eee9bc5e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png
index 2bfb558bbf..d5c3416a67 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png
new file mode 100644
index 0000000000..86d43fcb2c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt-2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png
index 39f21df392..755c1b66e0 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif
new file mode 100644
index 0000000000..2ef07cd63c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index 84acf6b19c..e0d3b1306e 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -4,7 +4,7 @@ description: Learn how Windows Hello for Business replaces passwords with strong
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
+ms.topic: overview
ms.date: 04/24/2023
---
# Windows Hello for Business Overview
@@ -91,7 +91,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
-Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md).
## Learn more
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 9dafd8be5b..690c5f984c 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -317,7 +317,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
> 1. Enable the setting.
> 1. Save changes again.
>
-> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you.
+> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you.
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index d19b1a018c..ad2fc7674a 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -110,9 +110,9 @@ items:
href: hello-and-password-changes.md
- name: Windows Hello for Business features
items:
- - name: PIN Reset
+ - name: PIN reset
href: hello-feature-pin-reset.md
- - name: Dual Enrollment
+ - name: Dual enrollment
href: hello-feature-dual-enrollment.md
- name: Dynamic Lock
href: hello-feature-dynamic-lock.md
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index 7646115753..1eb2da9944 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -2,7 +2,7 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
ms.date: 07/27/2023
-ms.topic: article
+ms.topic: how-to
---
# WebAuthn APIs for passwordless authentication on Windows
diff --git a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
deleted file mode 100644
index f7767ac5f0..0000000000
Binary files a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard-gp.png b/windows/security/identity-protection/images/remote-credential-guard-gp.png
deleted file mode 100644
index f7db3ee411..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard-gp.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard.gif b/windows/security/identity-protection/images/remote-credential-guard.gif
new file mode 100644
index 0000000000..effe8a4bc2
Binary files /dev/null and b/windows/security/identity-protection/images/remote-credential-guard.gif differ
diff --git a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
deleted file mode 100644
index 56021d820e..0000000000
Binary files a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png and /dev/null differ
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 41748c9408..7351dd93ae 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,11 +1,11 @@
---
-title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
-description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+title: Remote Credential Guard
+description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
ms.collection:
- highpri
-- tier2
-ms.topic: article
-ms.date: 01/12/2018
+- tier1
+ms.topic: how-to
+ms.date: 09/06/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -13,96 +13,112 @@ appliesto:
- ✅ Windows Server 2019
- ✅ Windows Server 2016
---
-# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
-Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
+# Remote Credential Guard
-Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
+## Overview
+
+Remote Credential Guard helps protecting credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, the credentials aren't exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.
+
+This article describes how to configure and use Remote Credential Guard.
> [!IMPORTANT]
> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
-## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
+## Compare Remote Credential Guard with other connection options
-The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
+Using a Remote Desktop session without Remote Credential Guard has the following security implications:
-
+- Credentials are sent to and stored on the remote host
+- Credentials aren't protected from attackers on the remote host
+- Attacker can use credentials after disconnection
-The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
+The security benefits of Remote Credential Guard include:
-
+- Credentials aren't sent to the remote host
+- During the remote session you can connect to other systems using SSO
+- An attacker can act on behalf of the user only when the session is ongoing
-As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
+The security benefits of [Restricted Admin mode][TECH-1] include:
+
+- Credentials aren't sent to the remote host
+- The Remote Desktop session connects to other resources as the remote host's identity
+- An attacker can't act on behalf of the user and any attack is local to the server
Use the following table to compare different Remote Desktop connection security options:
-| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
+| Feature | Remote Desktop | Remote Credential Guard | Restricted Admin mode |
|--|--|--|--|
-| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
-| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent** | N/A | - Pass-the-Hash
- Use of a credential after disconnection
| - Pass-the-Hash
- Use of domain identity during connection
|
-| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
-| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
-| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
-| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
-
-For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
-and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
-
-## Remote Desktop connections and helpdesk support scenarios
-
-For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
-
-Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
-
-To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/download/details.aspx?id=46899).
-
-For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
-
-[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
+| Single sign-on (SSO) to other systems as signed in user | ✅ | ✅ | ❌ |
+| Multi-hop RDP | ✅ | ✅ | ❌ |
+| Prevent use of user's identity during connection | ❌ | ❌ | ✅ |
+| Prevent use of credentials after disconnection | ❌ | ✅ | ✅ |
+| Prevent Pass-the-Hash (PtH) | ❌ | ✅ | ✅ |
+| Supported authentication | Any negotiable protocol | Kerberos only | Any negotiable protocol |
+| Credentials supported from the remote desktop client device | - Signed on credentials
- Supplied credentials
- Saved credentials | - Signed on credentials
- Supplied credentials
| - Signed on credentials
- Supplied credentials
- Saved credentials |
+| RDP access granted with | Membership of **Remote Desktop Users** group on remote host | Membership of **Remote Desktop Users** group on remote host | Membership of **Administrators** group on remote host |
## Remote Credential Guard requirements
-To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements:
+To use Remote Credential Guard, the remote host and the client must meet the following requirements.
-The Remote Desktop client device:
+The remote host:
-- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
-- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
-- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
-- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must allow the user to access via Remote Desktop connections
+- Must allow delegation of nonexportable credentials to the client device
-The Remote Desktop remote host:
+The client device:
-- Must be running at least Windows 10, version 1607 or Windows Server 2016.
-- Must allow Restricted Admin connections.
-- Must allow the client's domain user to access Remote Desktop connections.
-- Must allow delegation of non-exportable credentials.
+- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
-There are no hardware requirements for Windows Defender Remote Credential Guard.
+[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
-> [!NOTE]
-> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
->
-> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
+## Enable delegation of nonexportable credentials on the remote hosts
-- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
-- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
+This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
-## Enable Windows Defender Remote Credential Guard
+To enable delegation of nonexportable credentials on the remote hosts, you can use:
-You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
+- Microsoft Intune/MDM
+- Group policy
+- Registry
-1. Open Registry Editor on the remote host
-1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
- - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
- - Add a new DWORD value named **DisableRestrictedAdmin**
- - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
-1. Close Registry Editor
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > System > Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials`
- **Data type:** string
- **Value:** ``|
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+To configure devices using the registry, use the following settings:
+
+| Setting |
+|-|
+| - **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
- **Key name:** `DisableRestrictedAdmin`
- **Type:** `REG_DWORD`
- **Value:** `0`|
You can add this by running the following command from an elevated command prompt:
@@ -110,44 +126,103 @@ You can add this by running the following command from an elevated command promp
reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
-## Using Windows Defender Remote Credential Guard
+---
-Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection.
+## Configure delegation of credentials on the clients
-### Turn on Windows Defender Remote Credential Guard by using Group Policy
+To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts.
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
-1. Double-click **Restrict delegation of credentials to remote servers**
- 
-1. Under **Use the following restricted mode**:
- - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
+> [!TIP]
+> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+> ```cmd
+> mstsc.exe /remoteGuard
+> ```
- > [!NOTE]
- > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
+The policy can have different values, depending on the level of security you want to enforce:
- - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
- - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-
-1. Click **OK**
-1. Close the Group Policy Management Console
-1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
-
-### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
-
-If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-
-```cmd
-mstsc.exe /remoteGuard
-```
+- **Disabled**: *Restricted Admin* and *Remote Credential Guard* mode aren't enforced and the Remote Desktop Client can delegate credentials to remote devices
+- **Require Restricted Admin**: the Remote Desktop Client must use Restricted Admin to connect to remote hosts
+- **Require Remote Credential Guard**: Remote Desktop Client must use Remote Credential Guard to connect to remote hosts
+- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used
> [!NOTE]
-> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer.
+> When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard.
-## Considerations when using Windows Defender Remote Credential Guard
+To configure your clients, you can use:
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
-- Remote Desktop Credential Guard only works with the RDP protocol
+- Microsoft Intune/MDM
+- Group policy
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > System > Credentials Delegation** | Restrict delegation of credentials to remote servers | Select **Enabled** and in the dropdown, select one of the options:
- **Restrict Credential Delegation**
- **Require Remote Credential Guard**|
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-2].
+
+| Setting |
+|--|
+|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`
- **Data type:** string
- **Value:** ``
Possible values for `RestrictedRemoteAdministrationDrop` are:
- `0`: Disabled
- `1`: Require Restricted Admin
- `2`: Require Remote Credential Guard
- `3`: Restrict credential delegation |
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Restrict delegation of credentials to remote servers| **Enabled** and in the dropdown, select one of the options:
- **Restrict Credential Delegation**
- **Require Remote Credential Guard**|
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+
+#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+Not documented.
+
+---
+
+## Use Remote Credential Guard
+
+Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host:
+
+:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO.":::
+
+> [!NOTE]
+> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.
+
+## Remote Desktop connections and helpdesk support scenarios
+
+For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects.
+
+We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the `/RestrictedAdmin` switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2][PTH-1].
+
+To further harden security, we also recommend that you implement Windows Local Administrator Password Solution (LAPS), which automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers.
+
+For more information about LAPS, see [What is Windows LAPS][LEARN-1].
+
+## Additional considerations
+
+Here are some additional considerations for Remote Credential Guard:
+
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Azure Active Directory (Azure AD)
+- Remote Credential Guard can be used from an Azure AD joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
+- Remote Credential Guard only works with the RDP protocol
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
- The server and client must authenticate using Kerberos
+- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-credentialsdelegation
+[CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp
+[INT-3]: /mem/intune/configuration/settings-catalog
+[LEARN-1]: /windows-server/identity/laps/laps-overview
+[TECH-1]: https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx
+[PTH-1]: https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 5443446244..35ace33d60 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,7 +2,7 @@
ms.date: 09/24/2021
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.topic: article
+ms.topic: conceptual
ms.reviewer: ardenw
---
# Smart Card and Remote Desktop Services
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index d305de2eae..f66eedf547 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,7 +2,7 @@
title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: reference-architecture
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index f44786fcb1..62737034ae 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,7 +2,7 @@
title: Certificate Propagation Service
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
ms.date: 08/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index ac153d8216..9931e52d1f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,7 +2,7 @@
title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
ms.date: 09/24/2021
---
@@ -175,7 +175,7 @@ The smart card certificate has specific format requirements when it is used with
| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=`` |
+| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=`` |
| Key usage | Digital signature | Digital signature |
| Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) |
| extended key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2)
The client authentication object identifier is required only if a certificate is used for SSL authentication.
- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) |
@@ -310,4 +310,4 @@ For more information about this option for the command-line tool, see [-SCRoots]
## See also
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
\ No newline at end of file
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index afd45f5a5f..8193759010 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -5,7 +5,7 @@ ms.reviewer: ardenw
ms.collection:
- highpri
- tier2
-ms.topic: article
+ms.topic: troubleshooting
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index e2ef4a9160..f3f0e7de99 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,7 +2,7 @@
title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: reference
ms.date: 11/02/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 5d498cb152..5ad7eb1205 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,7 +2,7 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: overview
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 8250828ff6..4b9fd9a3fd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,7 +2,7 @@
title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index e3a98718be..2604d84270 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,7 +2,7 @@
title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 4de4acbfc6..f18465fff3 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,7 +2,7 @@
title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: conceptual
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 07d20ddf30..a7e5247fcc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,7 +2,7 @@
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.reviewer: ardenw
-ms.topic: article
+ms.topic: reference
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index d8e6726e39..2b006e3ca0 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -33,11 +33,11 @@ items:
- name: Access Control
href: access-control/access-control.md
displayName: ACL/SACL
- - name: Windows Defender Credential Guard
+ - name: Credential Guard
href: credential-guard/toc.yml
- - name: Windows Defender Remote Credential Guard
+ - name: Remote Credential Guard
href: remote-credential-guard.md
- - name: LSA Protection
+ - name: LSA Protection 🔗
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- name: Local Accounts
href: access-control/local-accounts.md
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index 891ad65444..191dfb47cb 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -24,5 +24,5 @@ ms.topic: include
| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
-| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
+| **[Credential Guard](/windows/security/identity-protection/credential-guard)** | Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 8001fed62a..963c96d66e 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -7,6 +7,7 @@ brand: windows
metadata:
ms.topic: hub-page
ms.prod: windows-client
+ ms.technology: itpro-security
ms.collection:
- highpri
- tier1
@@ -72,8 +73,8 @@ productDirectory:
links:
- url: /windows/security/identity-protection/hello-for-business
text: Windows Hello for Business
- - url: /windows/security/identity-protection/credential-guard/credentail-guard
- text: Windows Defender Credential Guard
+ - url: /windows/security/identity-protection/credential-guard
+ text: Credential Guard
- url: /windows-server/identity/laps/laps-overview
text: Windows LAPS (Local Administrator Password Solution)
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
index a87668dc0e..69e2193bf2 100644
--- a/windows/security/introduction.md
+++ b/windows/security/introduction.md
@@ -1,7 +1,7 @@
---
title: Introduction to Windows security
description: System security book.
-ms.date: 08/01/2023
+ms.date: 09/01/2023
ms.topic: tutorial
ms.author: paoloma
content_well_notification:
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
1. When verified, give people and devices access to only necessary resources for the necessary amount of time
1. Use continuous analytics to drive threat detection and improve defenses
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
### Security, by default
@@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
### Secured identities
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
### Connecting to cloud services
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 784d94dfe0..4de77c10cc 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -13,7 +13,7 @@ ms.date: 08/14/2023
Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
-BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
+BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices and it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
deleted file mode 100644
index fe2fb5b3e9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Configure Personal Data Encryption (PDE) in Intune
-description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-
-
-
-# Configure Personal Data Encryption (PDE) policies in Intune
-
-The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
-
-## Required prerequisites
-
-1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-## Security hardening recommendations
-
-1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-1. [Disable hibernation](intune-disable-hibernation.md)
-1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## See also
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
new file mode 100644
index 0000000000..7a7277136f
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -0,0 +1,141 @@
+---
+title: PDE settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+ms.topic: how-to
+ms.date: 08/11/2023
+---
+
+# PDE settings and configuration
+
+This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+
+> [!NOTE]
+> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+>
+> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+
+## PDE settings
+
+The following table lists the required settings to enable PDE.
+
+| Setting name | Description |
+|-|-|
+|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+
+## PDE hardening recommendations
+
+The following table lists the recommended settings to improve PDE's security.
+
+| Setting name | Description |
+|-|-|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
+
+## Configure PDE with Microsoft Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
+|**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled|
+|**Memory Dump**|Allow Live Dump|Block|
+|**Memory Dump**|Allow Crash Dump|Block|
+|**Administrative Templates > Windows Components > Windows Error Reporting** | Disable Windows Error Reporting | Enabled|
+|**Power**|Allow Hibernate|Block|
+|**Administrative Templates > System > Logon** | Allow users to select when a password is required when resuming from connected standby | Disabled|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
+```
+
+## Configure PDE with CSP
+
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
+|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|``|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``|
+|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``|
+
+## Disable PDE
+
+Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+
+### Disable PDE with a settings catalog policy in Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+### Disable PDE with CSP
+
+You can disable PDE with CSP using the following setting:
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
+
+## Decrypt PDE-encrypted content
+
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+
+1. Open the properties of the file
+1. Under the **General** tab, select **Advanced...**
+1. Uncheck the option **Encrypt contents to secure data**
+1. Select **OK**, and then **OK** again
+
+PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+
+- Decrypting a large number of files on a device
+- Decrypting files on multiple of devices
+
+To decrypt files on a device using `cipher.exe`:
+
+- Decrypt all files under a directory including subdirectories:
+
+ ```cmd
+ cipher.exe /d /s:
+ ```
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+
+ ```cmd
+ cipher.exe /d
+ ```
+
+> [!IMPORTANT]
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+
+## Next steps
+
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-configuration-service-provider
+[CSP-2]: /windows/client-management/mdm/personaldataencryption-csp
+
+[WINS-1]: /windows-server/administration/windows-commands/cipher
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
similarity index 73%
rename from windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 0429e74204..9dbd3b3def 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
- ms.date: 03/13/2023
+ ms.date: 08/11/2023
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@@ -45,17 +45,9 @@ sections:
answer: |
No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: How can it be determined if a file is protected with PDE?
- answer: |
- - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
- 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
- 2. Select the **Details** button.
- 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
- - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
-
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
@@ -64,9 +56,3 @@ sections:
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-CBC with a 256-bit key to encrypt content.
-
-additionalContent: |
- ## See also
- - [Personal Data Encryption (PDE)](index.md)
- - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
-
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
deleted file mode 100644
index b34908147d..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.topic: include
-ms.date: 03/13/2023
----
-
-
-
-
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
-
-PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
-
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-
-Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 83e0433698..0608ea1a7c 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,89 +2,40 @@
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
-ms.date: 03/13/2023
+ms.date: 08/11/2023
---
# Personal Data Encryption (PDE)
-[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
-[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
+PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
+
+The use of Windows Hello for Business offers the following advantages:
+
+- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
+- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+
+PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
## Prerequisites
-### Required
+To use PDE, the following prerequisites must be met:
-- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
-- Windows 11, version 22H2 and later Enterprise and Education editions
+- Windows 11, version 22H2 and later
+- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
+- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
-### Not supported with PDE
+> [!IMPORTANT]
+> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
-- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
-- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
-- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
-- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
-- Remote Desktop connections
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
- Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
- Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
- Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
- When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
- - On-premises Active Directory joined devices:
-
- - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
- - A password is required immediately after the screen turns off.
-
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
- - Workgroup devices, including Azure AD joined devices:
-
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
-
- Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
- For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
-
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
- Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## PDE protection levels
-PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
@@ -103,27 +54,11 @@ When a file is protected with PDE, its icon will show a padlock. If the user has
Scenarios where a user will be denied access to PDE protected content include:
-- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If protected via level 2 protection, when the device is locked.
-- When trying to access content on the device remotely. For example, UNC network paths.
-- Remote Desktop sessions.
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
-
-## How to enable PDE
-
-To enable PDE on devices, push an MDM policy to the devices with the following parameters:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **1**
-
-There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
+- If protected via level 2 protection, when the device is locked
+- When trying to access content on the device remotely. For example, UNC network paths
+- Remote Desktop sessions
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
## Differences between PDE and BitLocker
@@ -132,8 +67,8 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker,
| Item | PDE | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
-| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
-| Files protected | Individual specified files | Entire volume/drive |
+| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
+| Protected content | All files in protected folders | Entire volume/drive |
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
## Differences between PDE and EFS
@@ -143,61 +78,38 @@ The main difference between protecting files with PDE instead of EFS is the meth
To see if a file is protected with PDE or with EFS:
1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. In the **Advanced Attributes** windows, select **Details**
+1. Under the **General** tab, select **Advanced...**
+1. In the **Advanced Attributes** windows, select **Details**
For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
+Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
-## Disable PDE and decrypt content
+## Recommendations for using PDE
-Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+The following are recommendations for using PDE:
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **0**
-
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
-
-1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. Uncheck the option **Encrypt contents to secure data**
-4. Select **OK**, and then **OK** again
-
-PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
-
-- Decrypting a large number of files on a device
-- Decrypting files on a large number of devices.
-
-To decrypt files on a device using `cipher.exe`:
-
-- Decrypt all files under a directory including subdirectories:
-
- ```cmd
- cipher.exe /d /s:
- ```
-
-- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
-
- ```cmd
- cipher.exe /d
- ```
-
-> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
## Windows out of box applications that support PDE
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
-- Mail
- - Supports protecting both email bodies and attachments
+| App name | Details |
+|-|-|
+| Mail | Supports protecting both email bodies and attachments|
-## See also
+## Next steps
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
-- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
+- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+
+
+[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
+[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
deleted file mode 100644
index 9fda445c43..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-ms.topic: how-to
-ms.date: 06/01/2023
----
-
-# Disable Winlogon automatic restart sign-on (ARSO) for PDE
-
-Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
-
-## Disable Winlogon automatic restart sign-on (ARSO) in Intune
-
-To disable ARSO using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Templates**
- 1. When the templates appear, under **Template name**, select **Administrative templates**
- 1. Select **Create** to close the **Create profile** window.
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable ARSO**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. On the left pane of the page, make sure **Computer Configuration** is selected
- 1. Under **Setting name**, scroll down and select **Windows Components**
- 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
- 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
- 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
- 1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
deleted file mode 100644
index ef18936b1b..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Disable hibernation for PDE in Intune
-description: Disable hibernation for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable hibernation for PDE
-
-Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
-
-## Disable hibernation in Intune
-
-To disable hibernation using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable Hibernation**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, scroll down and select **Power**
- 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
- 1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
deleted file mode 100644
index 66a238e3c9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable kernel-mode crash dumps and live dumps for PDE
-
-Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
-
-## Disable kernel-mode crash dumps and live dumps in Intune
-
-To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
- 1. Next to **Description**, enter a description.
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. Select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, scroll down and select **Memory Dump**
- 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
deleted file mode 100644
index 4cf442e308..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable allowing users to select when a password is required when resuming from connected standby for PDE
-
-When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-- On-premises Active Directory joined devices:
- - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
- - A password is required immediately after the screen turns off
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
-- Workgroup devices, including Azure AD joined devices:
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
-
-Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-## Disable allowing users to select when a password is required when resuming from connected standby in Intune
-
-To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
- 1. Next to **Description**, enter a description
- 1. Select **Next**.
-
-1. In the **Configuration settings** page:
- 1. Select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, expand **Administrative Templates**
- 1. Under **Administrative Templates**, scroll down and expand **System**
- 1. Under **System**, scroll down and select **Logon**
- 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
- 1. select **Next**
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
deleted file mode 100644
index 39fe957317..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-
-Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
-
-## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
-
-To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. Select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, expand **Administrative Templates**
- 1. Under **Administrative Templates**, scroll down and expand **Windows Components**
- 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
- 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
- 1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
deleted file mode 100644
index 795504237c..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Enable Personal Data Encryption (PDE) in Intune
-description: Enable Personal Data Encryption (PDE) in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Enable Personal Data Encryption (PDE)
-
-By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-## Enable Personal Data Encryption (PDE) in Intune
-
-To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Templates**
- 1. When the templates appears, under **Template name**, select **Custom**
- 1. Select **Create** to close the **Create profile** window
-1. The **Custom** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In **Configuration settings** page:
- 1. Next to **OMA-URI Settings**, select **Add**
- 1. In the **Add Row** window that opens:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 1. Next to **Description**, enter a description
- 1. Next to **OMA-URI**, enter in:
- **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
- 1. Next to **Data type**, select **Integer**
- 1. Next to **Value**, enter in **1**
- 1. Select **Save** to close the **Add Row** window
- 1. Select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Applicability Rules**, configure if necessary and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index 0bb7c66820..f526600bd4 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,19 +1,7 @@
items:
-- name: Overview
+- name: PDE overview
href: index.md
-- name: Configure PDE with Intune
- href: configure-pde-in-intune.md
-- name: Enable Personal Data Encryption (PDE)
- href: intune-enable-pde.md
-- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
- href: intune-disable-arso.md
-- name: Disable kernel-mode crash dumps and live dumps for PDE
- href: intune-disable-memory-dumps.md
-- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
- href: intune-disable-wer.md
-- name: Disable hibernation for PDE
- href: intune-disable-hibernation.md
-- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
- href: intune-disable-password-connected-standby.md
+- name: Configure PDE
+ href: configure.md
- name: PDE frequently asked questions (FAQ)
- href: faq-pde.yml
\ No newline at end of file
+ href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/toc.yml b/windows/security/operating-system-security/network-security/toc.yml
index f8ef3f19b2..9745213bd4 100644
--- a/windows/security/operating-system-security/network-security/toc.yml
+++ b/windows/security/operating-system-security/network-security/toc.yml
@@ -1,6 +1,8 @@
items:
- name: Transport layer security (TLS) 🔗
href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
+ - name: Domain Name System (DNS) security 🔗
+ href: /windows-server/networking/dns/doh-client-support
- name: Wi-Fi Security
href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
- name: Extensible Authentication Protocol (EAP) for network access
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index 5aae45f5c3..21b3797cf1 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -1,7 +1,7 @@
---
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
-ms.topic: article
+ms.topic: how-to
ms.date: 08/03/2023
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
index ece353e83c..e6bba9c9db 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
index fa3fa7d18b..a61bf25eec 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@@ -6,7 +6,8 @@ ms.date: 11/09/2022
ms.collection:
- highpri
- tier3
-ms.topic: article
+ - must-keep
+ms.topic: best-practice
---
# Best practices for configuring Windows Defender Firewall
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
index f5c4d18144..11638e864b 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
index 7ccafddaa2..5751151190 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
index 08c06d4796..a2cad4e58d 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 874e99e9c0..49aee564d3 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/08/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
index 83418c0d85..af1b573655 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/08/2021
---
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index d34c1295ff..1cb3c7c91f 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -2,14 +2,14 @@
title: Federal Information Processing Standard (FIPS) 140 Validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
ms.prod: windows-client
-ms.date: 11/03/2022
+ms.date: 08/18/2023
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
ms.collection:
- highpri
- tier3
-ms.topic: article
+ms.topic: reference
ms.localizationpriority: medium
ms.reviewer:
ms.technology: itpro-security
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index c79a189b61..0f426874c2 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
ms.author: sushmanemali
author: s4sush
manager: aaroncz
-ms.topic: article
+ms.topic: reference
ms.localizationpriority: medium
ms.date: 11/4/2022
ms.reviewer: paoloma
@@ -278,10 +278,6 @@ Certified against the Protection Profile for General Purpose Operating Systems.
### Windows Server 2003 Certificate Server
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
-- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
-- [Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
-- [User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
### Windows Rights Management Services
diff --git a/windows/security/security-foundations/index.md b/windows/security/security-foundations/index.md
index 52c893e6cb..0f47d591b2 100644
--- a/windows/security/security-foundations/index.md
+++ b/windows/security/security-foundations/index.md
@@ -1,7 +1,7 @@
---
title: Windows security foundations
description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.topic: conceptual
+ms.topic: overview
ms.date: 06/15/2023
author: paolomatarazzo
ms.author: paoloma
diff --git a/windows/security/security-foundations/msft-security-dev-lifecycle.md b/windows/security/security-foundations/msft-security-dev-lifecycle.md
index 4f96b191e4..99fc260eb9 100644
--- a/windows/security/security-foundations/msft-security-dev-lifecycle.md
+++ b/windows/security/security-foundations/msft-security-dev-lifecycle.md
@@ -4,13 +4,13 @@ description: Download the Microsoft Security Development Lifecycle white paper t
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
-ms.topic: article
+ms.topic: conceptual
ms.date: 07/31/2023
---
# Microsoft Security Development Lifecycle
-The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
+The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl)
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index fd5538b2a7..5c246fea41 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -1,8 +1,8 @@
---
-title: Allow log on locally - security policy setting
+title: Allow log on locally - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
> **Note:** Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
-
+
Constant: SeInteractiveLogonRight
### Possible values
@@ -48,6 +48,7 @@ By default, the members of the following groups have this right on domain contro
- Account Operators
- Administrators
- Backup Operators
+- Enterprise Domain Controllers
- Print Operators
- Server Operators
@@ -62,17 +63,17 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol
### Default values
-The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not Defined |
-| Default Domain Controller Policy | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators |
+| Default Domain Controller Policy | Account Operators
Administrators
Backup Operators
Enterprise Domain Controllers
Print Operators
Server Operators |
| Stand-Alone Server Default Settings| Administrators
Backup Operators
Users |
-| Domain Controller Effective Default Settings | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators |
+| Domain Controller Effective Default Settings | Account Operators
Administrators
Backup Operators
Enterprise Domain Controllers
Print Operators
Server Operators |
| Member Server Effective Default Settings | Administrators
Backup Operators
Users |
| Client Computer Effective Default Settings | Administrators
Backup Operators
Users |
-
+
## Policy management
Restarting the device is not required to implement this change.
@@ -112,5 +113,5 @@ If you remove these default groups, you could limit the abilities of users who a
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 63272a0b01..03d85f19cb 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -42,7 +42,7 @@ This policy setting allows you to specify an ACL in two different ways. You can
- Blank
- This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
+ This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. To set a blank value, select "Define this policy setting" and leave the Security descriptor empty, and then select OK.
### Location
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 5d0649468d..e13121f3d9 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
-description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 08/01/2023
+description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
+ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -36,6 +36,8 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| ----------- | --------------------- | ---- |
+| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
+| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
@@ -49,6 +51,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
+| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September, 2019 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
PSR was removed in Windows 11.| 1909 |
@@ -59,7 +62,6 @@ The features in this article are no longer being actively developed, and might b
| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
-|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
@@ -89,3 +91,4 @@ The features in this article are no longer being actively developed, and might b
|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019.|
+
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index b2c710d264..99cf0f87aa 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -208,14 +208,14 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi
For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
-#### Windows Defender Credential Guard
+#### Credential Guard
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
-> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+> Credential Guard is available only to S mode devices or Enterprise and Education Editions.
For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 48b3e3b651..c07ad692ea 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -74,7 +74,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
### Virus and threat protection
-[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
- [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
@@ -149,9 +149,9 @@ Windows Hello enhancements include:
### Credential protection
-#### Windows Defender Credential Guard
+#### Credential Guard
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Privacy controls
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 55b211215b..4f608c1dd6 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -80,7 +80,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c
## Security
>[!NOTE]
->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall.
+>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall.
**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index b617d899f5..ad971e7d6a 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -141,11 +141,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just
We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge).
-### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
+### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
+Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
### Windows 10 Pro S Mode requires a network connection
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index c0202f98fe..d40de13c9d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -41,9 +41,9 @@ If you're using Windows Update for Business, you'll receive the Windows 10, vers
## Security
-### Windows Defender Credential Guard
+### Credential Guard
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Microsoft BitLocker
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 37a10475d2..a433405b4e 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -25,7 +25,7 @@ This article lists new and updated features and content that is of interest to I
As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
-To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, including a video, see [How to get the Windows 10 October 2020 Update](https://community.windows.com/videos/how-to-get-the-windows-10-october-2020-update/7c7_mWN0wi8).
+To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**).
## Microsoft Edge
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 4e91dc9a19..b09c1ab588 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -50,9 +50,9 @@ For more information, see [Smart App Control](/windows/security/threat-protectio
## Credential Guard
-Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
+Compatible Windows 11 Enterprise version 22H2 devices will have **Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
-For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
+For more information, see [Manage Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
## Malicious and vulnerable driver blocking
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 90928f5742..2bab9205d6 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -152,7 +152,7 @@ For more information on the security features you can configure, manage, and enf
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
- You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
+ You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps).
In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 346990f31f..fa33976e89 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier1
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 08/11/2023
appliesto:
- ✅ Windows 11
---
@@ -103,9 +103,9 @@ Microsoft's compatibility promise for Windows 10 is maintained for Windows 11. D
If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help.
-**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats.
+- **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats.
-**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
+- **Test Base for Microsoft 365**: [Test Base](https://portal.azure.com/?feature.Win11=true%2F#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/Microsoft.TestBase) is a cloud testing platform that can help you evaluate applications readiness for Windows 11 upgrade or migration. IT administrators, software publishers, and system integrators can find desired test cases throughout the entire Windows validation lifecycle. Tests include, but aren't limited to, in-place upgrade validation, monthly quality updates, and tests against Windows preview features.
You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11.
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 3a56385d67..d6f384c4f5 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -7,7 +7,7 @@ ms.author: paoloma
manager: aaroncz
ms.collection:
- tier2
-ms.topic: conceptual
+ms.topic: overview
ms.date: 05/04/2023
appliesto:
- ✅ Windows 11
@@ -67,7 +67,7 @@ The following table describes the unique Windows Enterprise edition features:
| OS-based feature | Description |
|-|-|
-|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
+|**[Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
|**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
|**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |
|**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
@@ -135,13 +135,13 @@ In most cases, the Windows Pro edition comes pre-installed on a business-class d
- A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
- A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
-In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscription doesn't block these scenarios.
The following table lists the Windows 11 Enterprise features and their Windows edition requirements:
| OS-based feature |Windows Pro|Windows Enterprise|
|-|-|-|
-|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
+|**[Credential Guard][WIN-1]**|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|