This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| -| Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | +| Service-based deployment ring | Default Autopatch group deployment ring | Default device balancing percentage | Description | +| ----- | ----- | ----- | ----- | +| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| +| Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| +| N/A | Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | ## Software update-based to service-based deployment ring mapping diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 9831d4850d..c059889d51 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 05/11/2023 +ms.date: 06/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -99,6 +99,10 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr ## Edit the Default or a Custom Autopatch group +> [!TIP] +> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there’s one or more on-going Windows feature update release targeted to this Autopatch group.**" +> See [Manage Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) for more information on release and phase statuses. + **To edit either the Default or a Custom Autopatch group:** 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. @@ -111,6 +115,18 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr > [!IMPORTANT] > Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. +## Rename a Custom Autopatch group + +You **can’t** rename the Default Autopatch group. However, you can rename a Custom Autopatch group. + +**To rename a Custom Autopatch group:** + +1. Select the **horizontal ellipses (…)** > **Rename** for the Custom Autopatch group you want to rename. The **Rename Autopatch group** fly-in opens. +1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then click **Rename group**. + +> [!IMPORTANT] +> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Azure AD groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. + ## Delete a Custom Autopatch group You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. @@ -125,10 +141,6 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu ## Manage device conflict scenarios when using Autopatch groups -> [!IMPORTANT] -> The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. -> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). - Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur. @@ -180,22 +192,6 @@ Autopatch groups will keep monitoring for all device conflict scenarios listed i This section lists known issues with Autopatch groups during its public preview. -### Device conflict scenarios when using Autopatch groups - -- **Status: Active** - -The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview. - -- Default to Custom Autopatch device conflict detection and resolution. -- Device conflict detection and resolution within an Autopatch group. -- Custom to Custom Autopatch group device conflict detection. - -> [!TIP] -> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: -> -> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. -> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group. - ### Autopatch group Azure AD group remediator - **Status: Active** @@ -219,12 +215,3 @@ The Windows Autopatch team is currently developing the Autopatch group Azure AD > - Modern Workplace Devices-Windows Autopatch-Broad > > Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups). - -### Rename an Autopatch group - -- **Status: Active** - -You can't rename an Autopatch group yet. The Autopatch group name is appended to all deployment ring names in the Autopatch group. Windows Autopatch is currently developing the rename feature. - -> [!IMPORTANT] -> During the public preview, if you try to rename either the [Update rings](/mem/intune/protect/windows-10-update-rings) or [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies directly in the Microsoft Intune end-user experience, the policy names are reverted back to the name defined by the Autopatch group end-user experience interface. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md index fab7bbabbc..8323fdbc22 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -91,6 +91,7 @@ The release statuses are described in the following table: | Active | All phases in the release are active. This means all phases have reached their first deployment date, which created the Windows feature update policies. |A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.
| | Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| +> [!NOTE] +> Global releases don't show up in the Windows feature updates release management blade. + #### Policy configuration values See the following table on how Windows Autopatch configures the values for its global Windows feature update policy. If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 7eaead607a..49693cb754 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -34,7 +34,7 @@ sections: Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - question: Will Windows Autopatch be available for state and local government customers? answer: | - Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. + Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported. - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service? answer: | Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index b4fb65849a..5c1516e429 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 05/15/2023 +ms.date: 06/12/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -51,6 +51,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview | | [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview | +## May service release + +| Message center post number | Description | +| ----- | ----- | +| [MC559247](https://admin.microsoft.com/adminportal/home#/MessageCenter) | May 2023 Windows Autopatch baseline configuration update | + ## April 2023 ### April feature releases or updates @@ -59,7 +65,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | ----- | ----- | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section | -### April 2023 service release +### April service release | Message center post number | Description | | ----- | ----- | diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 247eab8256..c4756bf8de 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -84,7 +84,7 @@ The following table lists the endpoints related to how you can manage the collec | [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.comUser performs operation requiring privilege|
If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.| +|
ShellExecute|
ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.| +|
CreateProcess|
If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.| + +### System + +|Component|Description| +|--- |--- | +|
Application Information service|
A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user may give consent.| +|
Elevating an ActiveX install|
If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.| +|
Check UAC slider level|
UAC has a slider to select from four levels of notification.
**Always notify** will:
Recommended if you often install new software or visit unfamiliar websites.
**Notify me only when programs try to make changes to my computer** will:
Recommended if you don't often install apps or visit unfamiliar websites.
**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:
Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.
**Never notify (Disable UAC prompts)** will:
Not recommended due to security concerns.| +|
Secure desktop enabled|
The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked:
If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.| +|
CreateProcess|
CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.| +|
AppCompat|
The AppCompat database stores information in the application compatibility fix entries for an application.| +|
Fusion|
The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.| +|
Installer detection|
Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.| + +### Kernel + +|Component|Description| +|--- |--- | +|
Virtualization|
Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.| +|
File system and registry|
The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
+
+The slider never turns off UAC completely. If you set it to **Never notify**, it will:
+
+- Keep the UAC service running
+- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt
+- Automatically deny all elevation requests for standard users
+
+> [!IMPORTANT]
+> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+
+> [!WARNING]
+> Some Universal Windows Platform apps may not work when UAC is disabled.
+
+### Virtualization
+
+Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
+
+Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
+
+Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
+
+Virtualization isn't an option in the following scenarios:
+
+- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
+- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
+- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
+
+### Request execution levels
+
+An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
+
+All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
+
+### Installer detection technology
+
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+
+Installer detection only applies to:
+
+- 32-bit executable files
+- Applications without a requested execution level attribute
+- Interactive processes running as a standard user with UAC enabled
+
+Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
+
+- The file name includes keywords such as "install," "setup," or "update."
+- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name
+- Keywords in the side-by-side manifest are embedded in the executable file
+- Keywords in specific StringTable entries are linked in the executable file
+- Key attributes in the resource script data are linked in the executable file
+- There are targeted sequences of bytes within the executable file
+
+> [!NOTE]
+> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+
+> [!NOTE]
+> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).
+
+## Next steps
+
+Learn more about [User Account Control settings and configuration](settings-and-configuration.md).
diff --git a/windows/security/identity-protection/user-account-control/images/uacarchitecture.gif b/windows/security/application-security/application-control/user-account-control/images/uac-architecture.gif
similarity index 100%
rename from windows/security/identity-protection/user-account-control/images/uacarchitecture.gif
rename to windows/security/application-security/application-control/user-account-control/images/uac-architecture.gif
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-consent-prompt-admin.png b/windows/security/application-security/application-control/user-account-control/images/uac-consent-prompt-admin.png
new file mode 100644
index 0000000000..3e5a5ae7bc
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-consent-prompt-admin.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-signed.png b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-signed.png
new file mode 100644
index 0000000000..c66349ec11
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-signed.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-unsigned.png b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-unsigned.png
new file mode 100644
index 0000000000..1d8074889f
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-unsigned.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt.png b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt.png
new file mode 100644
index 0000000000..462b775fcb
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-settings-catalog.png b/windows/security/application-security/application-control/user-account-control/images/uac-settings-catalog.png
new file mode 100644
index 0000000000..adbf9fb65e
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-settings-catalog.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-shield-icon.png b/windows/security/application-security/application-control/user-account-control/images/uac-shield-icon.png
new file mode 100644
index 0000000000..7336800e99
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-shield-icon.png differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacwindowslogonprocess.gif b/windows/security/application-security/application-control/user-account-control/images/uac-windows-logon-process.gif
similarity index 100%
rename from windows/security/identity-protection/user-account-control/images/uacwindowslogonprocess.gif
rename to windows/security/application-security/application-control/user-account-control/images/uac-windows-logon-process.gif
diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md
new file mode 100644
index 0000000000..d0f5b5db9d
--- /dev/null
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@@ -0,0 +1,36 @@
+---
+title: User Account Control
+description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
+ms.collection:
+ - highpri
+ - tier2
+ms.topic: conceptual
+ms.date: 05/24/2023
+---
+
+# User Account Control overview
+
+User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
+
+Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default, and you can configure it if you have administrative privileges.
+
+## Benefits of UAC
+
+UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.\
+Other applications, like ones that aren't designed with security settings in mind, may require more permissions to run successfully. These applications are referred to as *legacy apps*.
+
+When a user tries to perform an action that requires administrative privileges, UAC triggers a *consent prompt*. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:
+
+- If the user approves the change, the action is performed with the highest available privilege
+- If the user doesn't approve the change, the action isn't performed and the application that requested the change is prevented from running
+
+:::image type="content" source="images/uac-consent-prompt-admin.png" alt-text="Screenshot showing the UAC consent prompt.":::
+
+When an app requires to run with more than standard user rights, UAC allows users to run apps with their *administrator token* (that is, with administrative rights and permissions) instead of their default, standard user token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
+
+[!INCLUDE [user-account-control-uac](../../../../../includes/licensing/user-account-control-uac.md)]
+
+## Next steps
+
+- [How User Account Control works](how-it-works.md)
+- [User Account Control settings and configuration](settings-and-configuration.md)
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
new file mode 100644
index 0000000000..131622bbf4
--- /dev/null
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -0,0 +1,102 @@
+---
+title: User Account Control settings and configuration
+description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
+ms.date: 05/26/2023
+ms.topic: how-to
+---
+
+# User Account Control settings and configuration
+
+## User Account Control settings list
+
+The following table lists the available settings to configure the UAC behavior, and their default values.
+
+|Setting name| Description|
+|-|-|
+|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings. User performs operation requiring privilege| If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
-| ShellExecute| ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
-| CreateProcess| If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
-
-### System
-
-|Component|Description|
-|--- |--- |
-| Application Information service| A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.|
-| Elevating an ActiveX install| If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
-| Check UAC slider level| UAC has a slider to select from four levels of notification. **Always notify** will: Recommended if you often install new software or visit unfamiliar websites. **Notify me only when programs try to make changes to my computer** will: Recommended if you do not often install apps or visit unfamiliar websites. **Notify me only when programs try to make changes to my computer (do not dim my desktop)** will: Not recommended. Choose this only if it takes a long time to dim the desktop on your computer. **Never notify (Disable UAC prompts)** will: Not recommended due to security concerns.|
-| Secure desktop enabled| The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
-| CreateProcess| CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
-| AppCompat| The AppCompat database stores information in the application compatibility fix entries for an application.|
-| Fusion| The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
-| Installer detection| Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
-
-### Kernel
-
-|Component|Description|
-|--- |--- |
-| Virtualization| Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
-| File system and registry| The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
-
-The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
-
-- Keep the UAC service running.
-- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
-- Automatically deny all elevation requests for standard users.
-
-> [!IMPORTANT]
-> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
-
-> [!WARNING]
-> Some Universal Windows Platform apps may not work when UAC is disabled.
-
-### Virtualization
-
-Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
-
-Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
-
-Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
-
-Virtualization is not an option in the following scenarios:
-
-- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
-
-- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
-
-- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
-
-### Request execution levels
-
-An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that are not UAC-compliant to work properly.
-
-All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, then marking the app with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative app and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
-
-### Installer detection technology
-
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
-
-Installer detection only applies to:
-
-- 32-bit executable files.
-- Applications without a requested execution level attribute.
-- Interactive processes running as a standard user with UAC enabled.
-
-Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
-
-- The file name includes keywords such as "install," "setup," or "update."
-- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
-- Keywords in the side-by-side manifest are embedded in the executable file.
-- Keywords in specific StringTable entries are linked in the executable file.
-- Key attributes in the resource script data are linked in the executable file.
-- There are targeted sequences of bytes within the executable file.
-
-> [!NOTE]
-> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
-
-> [!NOTE]
-> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png
deleted file mode 100644
index 1a84a4cfd7..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png
deleted file mode 100644
index df0077b91b..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
deleted file mode 100644
index 5c9e4de2f7..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
deleted file mode 100644
index acd299f115..0000000000
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: User Account Control Group Policy and registry key settings
-description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
-ms.collection:
- - highpri
- - tier2
-ms.topic: article
-ms.date: 04/19/2017
----
-
-# User Account Control Group Policy and registry key settings
-## Group Policy settings
-There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
-
-
-| Group Policy setting | Registry key | Default |
-| - | - | - | - |
-| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
-| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
-| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
-| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials |
-| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
-|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
-## Detect an unhealthy Windows 10-based device
+## Detect an unhealthy Windows 10-based device
As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
@@ -394,14 +384,14 @@ When you start a device equipped with TPM, a measurement of different components
The health attestation process works as follows:
-1. Hardware boot components are measured.
-2. Operating system boot components are measured.
-3. If Device Guard is enabled, current Device Guard policy is measured.
-4. Windows kernel is measured.
-5. Antivirus software is started as the first kernel mode driver.
-6. Boot start drivers are measured.
-7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
-8. Boot measurements are validated by the Health Attestation Service
+1. Hardware boot components are measured.
+2. Operating system boot components are measured.
+3. If Device Guard is enabled, current Device Guard policy is measured.
+4. Windows kernel is measured.
+5. Antivirus software is started as the first kernel mode driver.
+6. Boot start drivers are measured.
+7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
+8. Boot measurements are validated by the Health Attestation Service
> [!NOTE]
> By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
@@ -409,16 +399,16 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
The following process describes how health boot measurements are sent to the health attestation service:
-1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
-2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
-3. The remote device heath attestation service then:
+1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3. The remote device heath attestation service then:
- 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
- 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
- 3. Parses the properties in the TCG log.
- 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+ 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+ 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+ 3. Parses the properties in the TCG log.
+ 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
-4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
@@ -426,7 +416,7 @@ The following process describes how health boot measurements are sent to the hea
The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
-### Trusted Platform Module
+### Trusted Platform Module
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
@@ -434,11 +424,11 @@ In a simplified manner, the TPM is a passive component with limited resources. I
A TPM incorporates in a single component:
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
+- An RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
### Endorsement key
@@ -450,15 +440,15 @@ The endorsement key acts as an identity card for the TPM. For more information,
The endorsement key is often accompanied by one or two digital certificates:
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
> [!NOTE]
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
-- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
-- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
+- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
### Attestation Identity Keys
@@ -506,7 +496,7 @@ If the TPM ownership isn't known but the EK exists, the client library will prov
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
> [!NOTE]
-> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
### Windows 10 Health Attestation CSP
@@ -514,10 +504,10 @@ Windows 10 contains a configuration service provider (CSP) specialized for inter
The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
-- Collects data that is used to verify a device's health status
-- Forwards the data to the Health Attestation Service
-- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
-- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+- Collects data that is used to verify a device's health status
+- Forwards the data to the Health Attestation Service
+- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
@@ -532,21 +522,21 @@ The role of Windows Health Attestation Service is essentially to evaluate a set
Checking that a TPM attestation and the associated log are valid takes several steps:
-1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
-2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
-3. Next the logs should be checked to ensure that they match the PCR values reported.
-4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
+3. Next the logs should be checked to ensure that they match the PCR values reported.
+4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the device:
-- Secure Boot enablement
-- Boot and kernel debug enablement
-- BitLocker enablement
-- VSM enabled
-- Signed or unsigned Device Guard Code Integrity policy measurement
-- ELAM loaded
-- Safe Mode boot, DEP enablement, test signing enablement
-- Device TPM has been provisioned with a trusted endorsement certificate
+- Secure Boot enablement
+- Boot and kernel debug enablement
+- BitLocker enablement
+- VSM enabled
+- Signed or unsigned Device Guard Code Integrity policy measurement
+- ELAM loaded
+- Safe Mode boot, DEP enablement, test signing enablement
+- Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
@@ -562,29 +552,29 @@ To make device health relevant, the MDM solution evaluates the device health rep
A solution that uses MDM and the Health Attestation Service consists of three main parts:
-1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
-2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
-3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
+1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
:::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
-1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
-2. The MDM server specifies a nonce along with the request.
-3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
-4. The MDM server:
+1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2. The MDM server specifies a nonce along with the request.
+3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4. The MDM server:
- 1. Verifies that the nonce is as expected.
- 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+ 1. Verifies that the nonce is as expected.
+ 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
-5. The Health Attestation Service:
+5. The Health Attestation Service:
- 1. Decrypts the health blob.
- 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
- 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
- 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
- 5. Sends data back to the MDM server including health parameters, freshness, and so on.
+ 1. Decrypts the health blob.
+ 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+ 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
+ 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+ 5. Sends data back to the MDM server including health parameters, freshness, and so on.
> [!NOTE]
> The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
@@ -625,7 +615,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bui
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
-### Management of Windows Defender by third-party MDM
+### Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
@@ -641,7 +631,7 @@ If the device isn't registered, the user will get a message with instructions on
:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
-### Office 365 conditional access control
+### Office 365 conditional access control
Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
target groups.
@@ -663,20 +653,20 @@ Depending on the type of email application that employees use to access Exchange
Clients that attempt to access Office 365 will be evaluated for the following properties:
-- Is the device managed by an MDM?
-- Is the device registered with Azure AD?
-- Is the device compliant?
+- Is the device managed by an MDM?
+- Is the device registered with Azure AD?
+- Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
-- Enroll with an MDM solution.
-- Register with Azure AD.
-- Be compliant with the device policies set by the MDM solution.
+- Enroll with an MDM solution.
+- Register with Azure AD.
+- Be compliant with the device policies set by the MDM solution.
> [!NOTE]
> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
-### Cloud and on-premises apps conditional access control
+### Cloud and on-premises apps conditional access control
Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
@@ -689,22 +679,22 @@ For more information about conditional access, see [Azure Conditional Access Pre
For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
-- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
-- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
The following process describes how Azure AD conditional access works:
-1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
-2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
-3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
-4. User logs on and the MDM agent contacts the Intune/MDM server.
-5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
-6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
-7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
-8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
-9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4. User logs on and the MDM agent contacts the Intune/MDM server.
+5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
10. Intune/MDM server updates compliance state against device object in Azure AD.
11. User opens app, attempts to access a corporate managed asset.
12. Access gated by compliance claim in Azure AD.
@@ -719,43 +709,43 @@ Conditional access control is a topic that many organizations and IT pros may no
The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices.
-- **Understand that no solution is 100 percent secure**
+- **Understand that no solution is 100 percent secure**
If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
-- **Use health attestation with an MDM solution**
+- **Use health attestation with an MDM solution**
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
-- **Use Credential Guard**
+- **Use Credential Guard**
Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
-- **Use Device Guard**
+- **Use Device Guard**
Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
-- **Sign Device Guard policy**
+- **Sign Device Guard policy**
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
-- **Use virtualization-based security**
+- **Use virtualization-based security**
When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
-- **Start to deploy Device Guard with Audit mode**
+- **Start to deploy Device Guard with Audit mode**
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
-- **Build an isolated reference machine when deploying Device Guard**
+- **Build an isolated reference machine when deploying Device Guard**
Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
-- **Use AppLocker when it makes sense**
+- **Use AppLocker when it makes sense**
Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users.
-- **Lock down firmware and configuration**
+- **Lock down firmware and configuration**
After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
@@ -765,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
similarity index 83%
rename from windows/security/information-protection/secure-the-windows-10-boot-process.md
rename to windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index be0c4f800d..1383de920b 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -1,24 +1,16 @@
---
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.prod: windows-client
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
+ms.topic: conceptual
+ms.date: 03/09/2023
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 03/09/2023
-ms.technology: itpro-security
-appliesto:
-- ✅ Windows 10 and later
---
# Secure the Windows boot process
-
-The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+Windows has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, Windows includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
@@ -50,9 +42,9 @@ Windows supports four features to help prevent rootkits and bootkits from loadin
Figure 1 shows the Windows startup process.
-.png)
+
-*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
@@ -82,27 +74,23 @@ These requirements help protect you from rootkits while allowing you to run any
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
-The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
+The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
-1. Open the firmware menu, either:
-
- - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+1. Open the firmware menu, either:
+ - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+ - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
+3. Save changes and exit.
- - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
-
-2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
-
-3. Save changes and exit.
-
-Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
+Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
## Trusted Boot
-Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
## Early Launch Anti-Malware
@@ -129,13 +117,12 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
+
-
-.png)
-
-*Figure 2. Measured Boot proves the PC's health to a remote server*
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index 86abf54e55..2945f5f884 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -1,28 +1,28 @@
items:
- name: Secure the Windows boot process
- href: ../../information-protection/secure-the-windows-10-boot-process.md
+ href: secure-the-windows-10-boot-process.md
- name: Secure Boot and Trusted Boot
- href: ../../trusted-boot.md
-- name: Measured Boot
+ href: trusted-boot.md
+- name: Measured Boot 🔗
href: /windows/compatibility/measured-boot
- name: Device health attestation service
- href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+ href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
- name: Cryptography and certificate management
- href: ../../cryptography-certificate-mgmt.md
-- name: The Windows Security app
- href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+ href: cryptography-certificate-mgmt.md
+- name: Windows Security app
+ href: windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+ href: windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+ href: windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+ href: windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
- href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+ href: windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
- href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+ href: windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
- href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+ href: windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
- href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
+ href: windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
diff --git a/windows/security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
similarity index 87%
rename from windows/security/trusted-boot.md
rename to windows/security/operating-system-security/system-security/trusted-boot.md
index 8790964196..a5b511cc48 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -1,14 +1,11 @@
---
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2021
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: jsuther
+appliesto:
+ - "✅ Windows 11"
---
# Secure Boot and Trusted Boot
@@ -21,7 +18,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
## Trusted Boot
@@ -29,8 +26,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
-[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
## See also
-[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
new file mode 100644
index 0000000000..86a18cc532
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -0,0 +1,37 @@
+---
+title: Account protection in the Windows Security app
+description: Use the Account protection section to manage security for your account and sign in to Microsoft.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+
+# Account protection
+
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
+
+- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
+
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
+
+## Hide the Account protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+You can only configure these settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Account protection**.
+1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
index 817ff1949e..a4e6a2916e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,21 +1,12 @@
---
title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
ms.topic: article
---
# App and browser control
-**Applies to**
-
-- Windows 10 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
@@ -32,13 +23,9 @@ You can only prevent users from modifying Exploit protection settings by using G
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Hide the App & browser control section
@@ -51,13 +38,9 @@ This section can be hidden only by using Group Policy.
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
index 1aed92dc61..d792fabd4f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,20 +1,12 @@
---
title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Customize the Windows Security app for your organization
-**Applies to**
-
-- Windows 10 and later
-
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
@@ -36,11 +28,8 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-
4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@@ -51,8 +40,8 @@ There are two stages to using the contact card and customized notifications. Fir
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
+
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
index bfc66838f7..f3c57f4410 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@@ -2,52 +2,34 @@
title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
ms.date: 12/31/2018
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: article
---
# Device performance and health
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
-
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Device performance & health section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
+1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Device performance and health**.
-
-6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
new file mode 100644
index 0000000000..35915c9351
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@@ -0,0 +1,53 @@
+---
+title: Device security in the Windows Security app
+description: Use the Device security section to manage security built into your device, including virtualization-based security.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+# Device security
+
+The **Device security** section contains information and settings for built-in device security.
+
+You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device security section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Disable the Clear TPM button
+
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the TPM Firmware Update recommendation
+
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
index f4a6bb11c6..df1907c2a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@@ -1,50 +1,35 @@
---
title: Family options in the Windows Security app
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Family options
-**Applies to**
-
-- Windows 10 and later
-
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
-
## Hide the Family options section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Family options**.
+1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Family options**.
-
-6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 1d0d162d10..0d538dcab3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,49 +1,32 @@
---
title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
-
# Firewall and network protection
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Firewall & network protection section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
+1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
+1. Deploy the updated GPO as you normally do.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
-
-6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. Deploy the updated GPO as you normally do.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
similarity index 82%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
index 8ca7f8d1c1..d21b237aae 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,20 +1,12 @@
---
title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Hide Windows Security app notifications
-**Applies to**
-
-- Windows 10 and later
-
The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@@ -28,30 +20,21 @@ If you set **Hide all notifications** to **Enabled**, changing the **Hide non-cr
You can only use Group Policy to change these settings.
-
-
## Use Group Policy to hide non-critical notifications
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-
-2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
-
-6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Use Group Policy to hide all notifications
@@ -59,22 +42,18 @@ You can hide all notifications that are sourced from the Windows Security app. T
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
> [!NOTE]
> For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
-6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
> You can use the following registry key and DWORD value to **Hide all notifications**.
@@ -95,7 +74,7 @@ These notifications can be hidden only by using Group Policy.
| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
@@ -109,7 +88,7 @@ These notifications can be hidden only by using Group Policy.
| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
@@ -131,4 +110,4 @@ These notifications can be hidden only by using Group Policy.
| Dynamic lock on, bluetooth on, but device unpaired | | | No |Account protection notification|
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |Account protection notification|
| NoPa or federated no hello | | | No |Account protection notification|
-| NoPa or federated hello broken | | | No |Account protection notification|
\ No newline at end of file
+| NoPa or federated hello broken | | | No |Account protection notification|
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
new file mode 100644
index 0000000000..f17c9907ba
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -0,0 +1,58 @@
+---
+title: Virus and threat protection in the Windows Security app
+description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
+ms.date: 12/31/2017
+ms.topic: article
+---
+
+# Virus and threat protection
+
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
+
+In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
+
+IT administrators and IT pros can get more configuration information from these articles:
+
+- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
+- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
+- [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
+
+## Hide the Virus & threat protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Hide the Ransomware protection area
+
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+
+This area can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
similarity index 91%
rename from windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 41b535c96b..039d7fc3a6 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -1,32 +1,17 @@
---
-title: The Windows Security app
+title: Windows Security app
description: The Windows Security app brings together common Windows security features into one place.
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-ms.collection:
- - highpri
- - tier2
ms.date: 12/31/2017
ms.topic: article
+ms.collection:
+ - highpri
+ - tier2
---
-# The Windows Security app
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Windows Security app
This library describes the Windows Security app, and provides information on configuring certain features, including:
-
-
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -52,7 +37,7 @@ For more information about each section, options for configuring the sections, a
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
> [!NOTE]
@@ -65,9 +50,11 @@ For more information about each section, options for configuring the sections, a
- Select the icon in the notification area on the taskbar.
+
- Search the Start menu for **Windows Security**.
+
- Open an area from Windows **Settings**.
@@ -78,7 +65,7 @@ For more information about each section, options for configuring the sections, a
## How the Windows Security app works with Windows security features
> [!IMPORTANT]
-> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
>
> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
@@ -86,7 +73,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
index a0ee50c4bb..8df8195bdd 100644
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@@ -1,6 +1,6 @@
items:
- name: Overview
- href: ../operating-system.md
+ href: index.md
- name: System security
href: system-security/toc.yml
- name: Virus and threat protection
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
similarity index 97%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
index 3c1ed6dcea..1b896b0738 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@@ -1,18 +1,8 @@
---
title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/28/2020
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
+ms.date: 05/31/2023
ms.topic: reference
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
similarity index 98%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index aebf090b15..f474a45688 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,18 +1,10 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.prod: windows-client
-ms.technology: itpro-security
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer: paoloma
-manager: aaroncz
-ms.localizationpriority: medium
-ms.date: 10/07/2022
-adobe-target: true
+ms.date: 05/31/2023
+ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
-ms.topic: conceptual
---
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
@@ -40,7 +32,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled.
-[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)]
+[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)]
## Configure Enhanced Phishing Protection for your organization
@@ -73,7 +65,7 @@ Enhanced Phishing Protection can be configured using the following Administrativ
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1].
-
+
| Setting | OMA-URI | Data type |
|-------------------------|---------------------------------------------------------------------------|-----------|
| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
@@ -90,7 +82,7 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
-
+
|Settings catalog element|Recommendation|
|---------|---------|
|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
@@ -122,7 +114,7 @@ To better help you protect your organization, we recommend turning on and using
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [WebThreatDefense CSP][WIN-1]
-- [Threat protection](../index.md)
+- [Threat protection](index.md)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg
@@ -0,0 +1,24 @@
+
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg
new file mode 100644
index 0000000000..da64baf975
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
similarity index 91%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index b58a2be3ac..3940c5070c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -1,19 +1,12 @@
---
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
+ms.date: 05/31/2023
+ms.topic: article
ms.localizationpriority: high
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-adobe-target: true
ms.collection:
- tier2
- highpri
-ms.date: 03/20/2023
-ms.topic: article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -42,13 +35,13 @@ Microsoft Defender SmartScreen provide an early warning system against websites
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
-- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
+- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](available-settings.md).
- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
-[!INCLUDE [microsoft-defender-smartscreen](../../../../includes/licensing/microsoft-defender-smartscreen.md)]
+[!INCLUDE [microsoft-defender-smartscreen](../../../../../includes/licensing/microsoft-defender-smartscreen.md)]
## Submit files to Microsoft Defender SmartScreen for review
@@ -61,5 +54,4 @@ When submitting a file for Microsoft Defender SmartScreen, make sure to select *
## Related articles
- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
-- [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
index a8c5cdf1e5..8e86c254c7 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -1,21 +1,26 @@
items:
-- name: Overview
- href: ../../threat-protection/index.md
-- name: Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
-- name: Configuring LSA Protection
- href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
-- name: Attack surface reduction (ASR)
- href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
-- name: Tamper protection for MDE
- href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
-- name: Microsoft Vulnerable Driver Blocklist
- href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
-- name: Controlled folder access
- href: /microsoft-365/security/defender-endpoint/controlled-folders
-- name: Exploit protection
- href: /microsoft-365/security/defender-endpoint/exploit-protection
-- name: Microsoft Defender SmartScreen
- href: ../../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
-- name: Microsoft Defender for Endpoint
- href: /microsoft-365/security/defender-endpoint
\ No newline at end of file
+ - name: Microsoft Defender Antivirus 🔗
+ href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+ - name: Configuring LSA Protection
+ href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+ preserveContext: true
+ - name: Attack surface reduction (ASR) 🔗
+ href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
+ - name: Tamper protection for MDE 🔗
+ href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+ - name: Microsoft Vulnerable Driver Blocklist 🔗
+ href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+ - name: Controlled folder access 🔗
+ href: /microsoft-365/security/defender-endpoint/controlled-folders
+ - name: Exploit protection 🔗
+ href: /microsoft-365/security/defender-endpoint/exploit-protection
+ - name: Microsoft Defender SmartScreen
+ items:
+ - name: Overview
+ href: microsoft-defender-smartscreen/index.md
+ - name: Available settings
+ href: microsoft-defender-smartscreen/available-settings.md
+ - name: Enhanced Phishing Protection
+ href: microsoft-defender-smartscreen/enhanced-phishing-protection.md
+ - name: Microsoft Defender for Endpoint 🔗
+ href: /microsoft-365/security/defender-endpoint
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
deleted file mode 100644
index 5a71a44832..0000000000
--- a/windows/security/operating-system.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.reviewer:
-ms.topic: article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 09/21/2021
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.
**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.
**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.|
+|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.
**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.
**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
+|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
+|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.
**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.
**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
+|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.
**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
+|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.
**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
+|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.
**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.
**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
+|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:
- `%ProgramFiles%`, including subfolders
- `%SystemRoot%\system32\`
- `%ProgramFiles(x86)%`, including subfolders
**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
+|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.
**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
+|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.
**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.
**Disabled**: Apps that write data to protected locations fail.|
+
+## User Account Control configuration
+
+To configure UAC, you can use:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+The following instructions provide details how to configure your devices. Select the option that best suits your needs.
+
+
+#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Configure UAC with a Settings catalog policy
+
+To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
+
+:::image type="content" source="./images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="./images/uac-settings-catalog.png" border="True":::
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].\
+The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions`.
+
+|Setting|
+| - |
+| **Setting name**: Run all administrators in Admin Approval Mode
**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
+| **Setting name**: Admin Approval Mode for the built-in Administrator account
**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
+| **Setting name**: Switch to the secure desktop when prompting for elevation
**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
+| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode
**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
+| **Setting name**: Behavior of the elevation prompt for standard users
**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
+| **Setting name**: Detect application installations and prompt for elevation
**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
+| **Setting name**: Only elevate executables that are signed and validated
**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
+| **Setting name**: Only elevate UIAccess applications that are installed in secure locations
**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
+| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop
**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
+| **Setting name**: Virtualize file and registry write failures to per-user locations
**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
+
+#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy.
+
+The policy settings are located under: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`.
+
+| Group Policy setting |Default value|
+| - | - |
+|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
+|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
+|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
+|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
+|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
+|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)
Disabled (default) |
+|User Account Control: Only elevate executables that are signed and validated| Disabled |
+|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
+|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
+|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
+
+#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
+
+| Setting name | Registry key name | Value |
+| - | - | - |
+| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled
1 (Default) = Enabled |
+| Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled
1 = Enabled |
+| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled
1 (Default) = Enabled |
+| Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries|
+| Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials |
+| Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)
0 = Disabled (default) |
+| Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled
1 = Enabled |
+| Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled
1 (Default) = Enabled |
+| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled
1 = Enabled |
+| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled
1 (Default) = Enabled |
+
+[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[MEM-2]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index a0d3dc4bea..888bca39ce 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -156,14 +156,16 @@ Supported values:
### Protected client
-Applies more security settings to the sandbox Remote Desktop client, decreasing its attack surface.
+When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment.
+
+AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
`
-
-| Service type | Description |
-|:---|:---|
-| Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
-| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).|
-| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
-| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.
To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
-
-## Next steps
-
-- [Learn more about MDM and Windows 11](/windows/client-management/mdm/)
-- [Learn more about Windows security](index.yml)
\ No newline at end of file
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e387747efd..fe41572eb6 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -53,6 +53,7 @@
"folder_relative_path_in_docset": "./"
}
},
+ "titleSuffix": "Windows Security",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
@@ -71,19 +72,43 @@
]
},
"fileMetadata": {
- "author": {
+ "author":{
+ "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
"identity-protection/**/*.md": "paolomatarazzo",
+ "identity-protection/**/*.yml": "paolomatarazzo",
+ "operating-system-security/**/*.md": "vinaypamnani-msft",
+ "operating-system-security/**/*.yml": "vinaypamnani-msft",
+ "operating-system-security/data-protection/**/*.md": "paolomatarazzo",
+ "operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
- "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms"
+ "operating-system-security/network-security/**/*.yml": "paolomatarazzo",
+ "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
+ "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
},
- "ms.author": {
+ "ms.author":{
+ "application-security/application-control/user-account-control/*.md": "paoloma",
+ "application-security/application-control/user-account-control/*.yml": "paoloma",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
"identity-protection/**/*.md": "paoloma",
+ "identity-protection/**/*.yml": "paoloma",
+ "operating-system-security/**/*.md": "vinpa",
+ "operating-system-security/**/*.yml": "vinpa",
+ "operating-system-security/data-protection/**/*.md": "paoloma",
+ "operating-system-security/data-protection/**/*.yml": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
- "operating-system-security/network-security/windows-firewall/*.md": "nganguly"
+ "operating-system-security/network-security/**/*.yml": "paoloma",
+ "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
+ "operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
},
"appliesto": {
+ "threat-protection/windows-defender-application-control/applocker/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
"application-security/application-isolation/windows-sandbox/**/*.md": [
"✅ Windows 11",
"✅ Windows 10"
@@ -120,6 +145,30 @@
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
+ "operating-system-security/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ],
+ "operating-system-security/data-protection/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "operating-system-security/data-protection/**/*.yml": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "operating-system-security/data-protection/personal-data-encryption/*.md": [
+ "✅ Windows 11"
+ ],
+ "operating-system-security/data-protection/personal-data-encryption/*.yml": [
+ "✅ Windows 11"
+ ],
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
@@ -133,16 +182,17 @@
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
- "operating-system-security/network-security/vpn/*.md": "pesmith"
+ "operating-system-security/network-security/vpn/*.md": "pesmith",
+ "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda"
},
"ms.collection": {
"identity-protection/hello-for-business/*.md": "tier1",
- "information-protection/bitlocker/*.md": "tier1",
- "information-protection/personal-data-encryption/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"threat-protection/windows-defender-application-control/*.md": "tier3",
+ "operating-system-security/data-protection/bitlocker/*.md": "tier1",
+ "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"operating-system-security/network-security/windows-firewall/*.md": "tier3"
}
},
diff --git a/windows/security/hardware.md b/windows/security/hardware.md
index 0baa5e3748..0c5081037f 100644
--- a/windows/security/hardware.md
+++ b/windows/security/hardware.md
@@ -22,4 +22,5 @@ These new threats call for computing hardware that is secure down to the very co
| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
-| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
+| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
+
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
deleted file mode 100644
index 510e690593..0000000000
--- a/windows/security/identity-protection/configure-s-mime.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Configure S/MIME for Windows
-description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.topic: article
-ms.date: 07/27/2017
----
-
-
-# Configure S/MIME for Windows
-
-S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
-
-## About message encryption
-
-Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
-
-Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email.
-
-## About digital signatures
-
-A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
-
-[!INCLUDE [email-encryption-smime](../../../includes/licensing/email-encryption-smime.md)]
-
-## Prerequisites
-
-- [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
-- Valid Personal Information Exchange (PFX) certificates are installed on the device.
-
- - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
- - [Enable access to company resources using certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-configure)
-
-## Choose S/MIME settings
-
-On the device, perform the following steps: (add select certificate)
-
-1. Open the Mail app.
-
-2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
-
- :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
-
-3. Tap **Email security**.
-
- :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
-
-4. In **Select an account**, select the account for which you want to configure S/MIME options.
-
-5. Make a certificate selection for digital signature and encryption.
-
- - Select **Automatically** to let the app choose the certificate.
- - Select **Manually** to specify the certificate yourself from the list of valid certificates on the device.
-6. (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages.
-
- > [!NOTE]
- > The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
-
-7. Tap the back arrow.
-
-## Encrypt or sign individual messages
-
-1. While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the ellipsis (...).
-
-2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
-
- :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
-
-## Read signed or encrypted messages
-
-When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
-
-## Install certificates from a received message
-
-When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
-
-1. Open a signed email.
-
-2. Tap or click the digital signature icon in the reading pane.
-
-3. Tap **Install.**
-
- :::image type="content" alt-text="message security information." source="images/installcert.png":::
-
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index d4f8cceb8d..47f0d59394 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,24 +1,24 @@
---
-title: Enterprise Certificate Pinning
-description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
+title: Enterprise certificate pinning
+description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
ms.topic: conceptual
-ms.date: 07/27/2017
+ms.date: 05/24/2023
---
-# Enterprise Certificate Pinning
+# Enterprise certificate pinning overview
-Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name.
-Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+Enterprise certificate pinning is a Windows feature for remembering (pinning), a root issuing certificate authority, or end-entity certificate, to a domain name.\
+The feature helps to reduce man-in-the-middle attacks by protecting internal domain names from chaining to unwanted or fraudulently issued certificates.
> [!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
-Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates.
-These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers.
-Any site certificate that triggers a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+Windows Certificate APIs (*CertVerifyCertificateChainPolicy* and *WinVerifyTrust*) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates.\
+The restrictions are encapsulated in a *Pin Rules Certificate Trust List (CTL)* that is configured and deployed to Windows devices.\
+Any site certificates that trigger a name mismatch causes Windows to write an event to the *CAPI2 event log*, and prevents the user from browsing the web site.
> [!NOTE]
-> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection.
+> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge to block the connection.
## Deployment
@@ -27,14 +27,14 @@ To deploy enterprise certificate pinning, you need to:
- Create a well-formatted certificate pinning rule XML file
- Create a pin rules certificate trust list file from the XML file
- Apply the pin rules certificate trust list file to a reference administrative computer
-- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+- Deploy the registry configuration on the reference computer via group policy
-### Create a Pin Rules XML file
+### Create a pin rules XML file
-The XML-based pin rules file consists of a sequence of PinRule elements.
+The XML-based pin rules file consists of a sequence of PinRule elements.
Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
-```code
+```xml
**Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. |
+| **Duration** or **NextUpdate** | Specifies when the Pin Rules expires. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. |
| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months.
If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. |
| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. |
-#### PinRule Element
+#### PinRule element
-The **PinRule** element can have the following attributes.
+The **PinRule** element can have the following attributes.
| Attribute | Description | Required |
|-----------|-------------|----------|
-| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.|
-| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. |
+| **Name** | Uniquely identifies the **PinRule**. Windows uses the attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.|
+| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use the setting to audit the pin rules without introducing any user friction. | No. |
| **Log** | A Boolean value represents a string that equals **true** or **false**. By default, logging is enabled (**true**). | No. |
-#### Certificate element
+#### Certificate element
The **Certificate** element can have the following attributes.
@@ -88,7 +88,7 @@ The **Certificate** element can have the following attributes.
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). |
-| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
+| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.
If the current time is past the **EndDate**, when creating the certificate trust list (CTL) the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml).| No.|
#### Site element
@@ -96,15 +96,15 @@ The **Site** element can have the following attributes.
| Attribute | Description | Required |
|-----------|-------------|----------|
-| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
+| **Domain** | Contains the DNS name to be matched for this pin rule. When you create the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
| **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
-### Create a Pin Rules Certificate Trust List
+### Create a pin rules certificate trust list
-The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy.
-The usage syntax is:
+The *Certutil.exe* command includes the *generatePinRulesCTL* argument. The argument parses the XML file and generates the encoded certificate trust list (CTL) that you add to your reference Windows device and then deploy.
+The syntax is:
-```code
+```cmd
CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile]
Generate Pin Rules CTL
XMLFile -- input XML file to be parsed.
@@ -118,40 +118,42 @@ Options:
-v -- Verbose operation
```
-The same certificate(s) can occur in multiple **PinRule** elements.
-The same domain can occur in multiple **PinRule** elements.
-Certutil coalesces these in the resultant pin rules certificate trust list.
+- The same certificate(s) can occur in multiple **PinRule** elements
+- The same domain can occur in multiple **PinRule** elements
+- Certutil coalesces these in the resultant pin rules certificate trust list
+- Certutil.exe doesn't strictly enforce the XML schema definition
-Certutil.exe doesn't strictly enforce the XML schema definition.
-It does perform the following to enable other tools to add/consume their own specific elements and attributes:
+Certutil performs the following to enable other tools to add/consume their own specific elements and attributes:
-- Skips elements before and after the **PinRules** element.
-- Skips any element not matching **Certificate** or **Site** within the **PinRules** element.
-- Skips any attributes not matching the above names for each element type.
+- Skips elements before and after the **PinRules** element
+- Skips any element not matching **Certificate** or **Site** within the **PinRules** element
+- Skips any attributes not matching the above names for each element type
-Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules.
+Use the *certutil* command with the *generatePinRulesCTL* argument along with your XML file that contains your certificate pinning rules.
Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list.
-```code
+```cmd
certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
```
-### Applying Certificate Pinning Rules to a Reference Computer
+### Apply certificate pinning rules to a reference computer
Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise.
To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT).
-Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument.
-The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.
-This secondary argument is **chain\PinRules**.
-The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl).
-You'll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example.
-You need to perform this command from an elevated command prompt.
+Use *certutil.exe* to apply your certificate pinning rules to your reference computer using the *setreg* argument.\
+The *setreg* argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.\
+The secondary argument is *chain\PinRules*.\
+The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (`.stl`).\
+You pass the name of the file as the last argument. You must prefix the file name with the `@` symbol as in the following example:
-```code
+```cmd
Certutil -setreg chain\PinRules @pinrules.stl
```
+> [!NOTE]
+> You must execute the command from an elevated command prompt.
+
Certutil writes the binary information to the following registration location:
| Name | Value |
@@ -163,39 +165,39 @@ Certutil writes the binary information to the following registration location:
-### Deploying Enterprise Pin Rule Settings using Group Policy
+### Deploy enterprise pin rule settings using group policy
-You've successfully created a certificate pinning rules XML file.
-From the XML file you've created a certificate pinning trust list file, and you've applied the contents of that file to your reference computer from which you can run the Group Policy Management Console.
-Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
+From the XML file, you've created a certificate pinning trust list file. Then, you've applied the content of the file to your reference device from which you can run the Group Policy Management Console.
+
+The next step consists of configuring a group policy object that includes the applied certificate pin rule settings, and deploy it in your environment.
Sign-in to the reference computer using domain administrator equivalent credentials.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the forest node and then expand the domain node.
-3. Expand the node that contains your Active Directory's domain name
-4. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and click **New**.
-5. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
-6. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
-7. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
-8. Right-click the **Registry** node and click **New**.
-9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
-10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the forest node and then expand the domain node
+1. Expand the node that contains your Active Directory's domain name
+1. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and select **New**
+1. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and select **OK**
+1. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and select **Edit**
+1. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**
+1. Right-click the **Registry** node and select **New**
+1. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list
+1. For the **Key Path**, select **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
- HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+ `HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config`
- Click **Select** to close the **Registry Item Browser**.
+ Select **Select** to close the **Registry Item Browser**
-11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
+1. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Select **OK** to save your settings and close the dialog box
- 
+ 
-12. Close the **Group Policy Management Editor** to save your settings.
-13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+1. Close the **Group Policy Management Editor** to save your settings
+1. Link the **Enterprise Certificate Pinning Rules** GPO to the OU containing the devices that you want to configure
-## Additional Pin Rules Logging
+## Additional pin rules logging
-To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
+To help constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
| Name | Value |
|------|-------|
@@ -204,12 +206,12 @@ To assist in constructing certificate pinning rules, you can configure the **Pin
| Value | The Parent directory where Windows should write the additional pin rule logs |
| Data type | REG_SZ |
-### Permission for the Pin Rule Log Folder
+### Permission for the pin rule log folder
-The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access.
-You can run the following commands from an elevated command prompt to achieve the proper permissions.
+The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access.
+You can run the following commands from an elevated command prompt to achieve the proper permissions.
-```code
+```cmd
set PinRulesLogDir=c:\PinRulesLog
mkdir %PinRulesLogDir%
icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
@@ -218,64 +220,61 @@ icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
```
-Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
+When an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
-- AdminPinRules
- Matched a site in the enterprise certificate pinning rules.
-- AutoUpdatePinRules
- Matched a site in the certificate pinning rules managed by Microsoft.
-- NoPinRules
- Didn't match any site in the certificate pin rules.
+- `AdminPinRules`: Matched a site in the enterprise certificate pinning rules
+- `AutoUpdatePinRules`: Matched a site in the certificate pinning rules managed by Microsoft
+- `NoPinRules`: Didn't match any site in the certificate pin rules
-The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name.
+The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name.
For example:
- `D4DE20D0_xsi.outlook.com.p7b`
- `DE28F4A4_www.yammer.com.p7b`
-If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
+If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder.
-## Representing a Date in XML
+## Represent a date in XML
-Many attributes within the pin rules xml file are dates.
-These dates must be properly formatted and represented in UTC.
-You can use Windows PowerShell to format these dates.
-You can then copy and paste the output of the cmdlet into the XML file.
+Many attributes within the pin rules xml file are dates.\
+These dates must be properly formatted and represented in UTC.\
+You can use Windows PowerShell to format these dates.\
+You can then copy and paste the output of the cmdlet into the XML file.
For simplicity, you can truncate decimal point (.) and the numbers after it.
However, be certain to append the uppercase "Z" to the end of the XML date string.
-```code
+```cmd
2015-05-11T07:00:00.2655691Z
2015-05-11T07:00:00Z
```
-## Converting an XML Date
+## Convert an XML date
You can also use Windows PowerShell to validate and convert an XML date into a human readable date to validate it's the correct date.
-## Representing a Duration in XML
+## Represent a duration in XML
-Some elements may be configured to use a duration rather than a date.
-You must represent the duration as an XML timespan data type.
+Some elements may be configured to use a duration rather than a date.
+You must represent the duration as an XML timespan data type.
You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
-## Converting an XML Duration
+## Convert an XML duration
You can convert an XML formatted timespan into a timespan variable that you can read.
-## Certificate Trust List XML Schema Definition (XSD)
+## Certificate trust list XML schema definition (XSD)
-```code
+```xml
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the Resource Manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command couldn't be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card |
## Smart card error events
| **Event ID** | **Error Message** | **Description** |
|--------------|--------------------------------------------|-------------------------------------------------------------------------------|
-| 202 | Failed to initialize Server Application | An error occurred, and the service cannot initialize properly. Restarting the computer may resolve the issue. |
-| 203 | Server Control has no memory for reader reference object. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 204 | Server Control failed to create shutdown event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 202 | Failed to initialize Server Application | An error occurred, and the service can't initialize properly. Restarting the computer may resolve the issue. |
+| 203 | Server Control has no memory for reader reference object. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 204 | Server Control failed to create shutdown event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
%1 = Name of the smart card reader that is duplicated |
-| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
-| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
-| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 504 | Resource Manager cannot create shutdown event flag: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 506 | Smart Card Resource Manager failed to register service: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 206 | Failed to create global reader change event. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 401 | Reader shutdown exception from eject smart card command | A smart card reader couldn't eject a smart card while the smart card reader was shutting down. |
+| 406 | Reader object can't Identify Device | A smart card reader didn't properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader won't be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
+| 502 | Initialization of Service Status Critical Section failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 504 | Resource Manager can't create shutdown event flag: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 506 | Smart Card Resource Manager failed to register service: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 506 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 507 | No memory available for Service Status Critical Section | There is not enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
+| 507 | No memory available for Service Status Critical Section | There isn't enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
| 508 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 509 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 510 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 511 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 512 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 513 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 514 | Smart Card Resource Manager failed to add reader %2: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name |
-| 515 | Smart Card Resource Manager failed to declare state: %1 | This is an internal unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code |
-| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code |
-| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name |
+| 514 | Smart Card Resource Manager failed to add reader %2: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name |
+| 515 | Smart Card Resource Manager failed to declare state: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code |
+| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code |
+| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name |
| 521 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 523 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 602 | WDM Reader driver initialization cannot open reader device: %1 | The service cannot open a communication channel with the smart card reader. You cannot use the smart card reader until the issue is resolved.
%1 = Windows error code |
-| 603 | WDM Reader driver initialization has no memory available to control device %1 | There is not enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader |
-| 604 | Server control cannot set reader removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 605 | Reader object failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 606 | Reader object failed to create removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 607 | Reader object failed to start monitor thread: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
-| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
-| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
-| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
-| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. |
-| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 602 | WDM Reader driver initialization can't open reader device: %1 | The service can't open a communication channel with the smart card reader. You can't use the smart card reader until the issue is resolved.
%1 = Windows error code |
+| 603 | WDM Reader driver initialization has no memory available to control device %1 | There isn't enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader |
+| 604 | Server control can't set reader removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 605 | Reader object failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 606 | Reader object failed to create removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 607 | Reader object failed to start monitor thread: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 608 | Reader monitor failed to create power down timer: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 609 | Reader monitor failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader can't successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
+| 611 | Smart Card Reader initialization failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
+| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
+| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
+| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 621 | Server Control failed to access start event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. |
+| 622 | Server Control failed to access stop event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
## Smart card Plug and Play events
| **Event ID** | **Event type** | **Event Message** | **Description** |
|--------------|----------------|-----------------------------------------------------------------------------------------|----------------|
-| 1000 | Error | Could not get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play could not obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code |
+| 1000 | Error | Couldn't get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play couldn't obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code |
| 1001 | Information | Software successfully installed for smart card in reader %1. The smart card name is %2. | Smart card Plug and Play successfully installed a minidriver for the inserted card.
%1 = Smart card reader name
%2 = Name of new smart card device |
## See also
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index c90f5b2316..f1d265b8cb 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -22,28 +22,28 @@ items:
displayName: VSC
- name: Enterprise Certificate Pinning
href: enterprise-certificate-pinning.md
+ - name: Account Lockout Policy 🔗
+ href: ../threat-protection/security-policy-settings/account-lockout-policy.md
+ - name: Technical support policy for lost or forgotten passwords
+ href: password-support-policy.md
+ - name: Windows LAPS (Local Administrator Password Solution) 🔗
+ displayName: LAPS
+ href: /windows-server/identity/laps/laps-overview
+ - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+ href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+ displayName: EPP
+ - name: Access Control
+ items:
+ - name: Overview
+ href: access-control/access-control.md
+ displayName: ACL
+ - name: Local Accounts
+ href: access-control/local-accounts.md
+ - name: Security policy settings 🔗
+ href: ../threat-protection/security-policy-settings/security-policy-settings.md
- name: Advanced credential protection
items:
- - name: Account Lockout Policy 🔗
- href: ../threat-protection/security-policy-settings/account-lockout-policy.md
- - name: Technical support policy for lost or forgotten passwords
- href: password-support-policy.md
- - name: Windows LAPS (Local Administrator Password Solution) 🔗
- displayName: LAPS
- href: /windows-server/identity/laps/laps-overview
- - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
- href: ../threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
- displayName: EPP
- - name: Access Control
- items:
- - name: Overview
- href: access-control/access-control.md
- displayName: ACL
- - name: Local Accounts
- href: access-control/local-accounts.md
- - name: Security policy settings 🔗
- href: ../threat-protection/security-policy-settings/security-policy-settings.md
- name: Windows Defender Credential Guard
href: credential-guard/toc.yml
- - name: Windows Defender Remote Credential Guard
- href: remote-credential-guard.md
\ No newline at end of file
+ - name: Windows Defender Remote Credential Guard
+ href: remote-credential-guard.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
deleted file mode 100644
index 97c4196886..0000000000
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: How User Account Control works
-description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.collection:
- - highpri
- - tier2
-ms.topic: article
-ms.date: 09/23/2021
----
-
-# How User Account Control works
-
-User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-
-## UAC process and interactions
-
-Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
-
-To better understand how this process happens, let's look at the Windows logon process.
-
-### Logon process
-
-The following shows how the logon process for an administrator differs from the logon process for a standard user.
-
-
-
-By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
-
-When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
-
-A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
-
-### The UAC User Experience
-
-When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows, is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
-
-The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
-
-**The consent and credential prompts**
-
-With UAC enabled, Windows prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
-
-**The consent prompt**
-
-The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-
-:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
-
-**The credential prompt**
-
-The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**.
-
-The following is an example of the UAC credential prompt.
-
-:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
-
-**UAC elevation prompts**
-
-The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
-
-The elevation prompt color-coding is as follows:
-
-- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
-- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
-- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
-- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
-
-**Shield icon**
-
-Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time Properties** Control Panel item.
-
-:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
-
-The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
-
-**Securing the elevation prompt**
-
-The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
-
-When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
-
-Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware does not gain elevation if the user clicks **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
-
-While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy.
-
-## UAC Architecture
-
-The following diagram details the UAC architecture.
-
-
-
-To better understand each component, review the table below:
-
-### User
-
-|Component|Description|
-|--- |--- |
-|
Disabled (default for enterprise) |
-| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
-| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
-| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
-| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
-| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
-
-### User Account Control: Admin Approval Mode for the built-in Administrator account
-
-The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
-
-The options are:
-
-- **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
-- **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-
-### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
-
-The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-
-The options are:
-
-- **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-- **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
-
-UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
-
-UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
-
-- ...\\Program Files, including subfolders
-- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
-- ...\\Windows\\System32
-
-The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
-
-While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
-
-If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
-
-If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
-
-This policy setting does not change the behavior of the UAC elevation prompt for administrators.
-
-If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
-
-
-### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
-The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators.
-
-The options are:
-
-- **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
-
- **Note** Use this option only in the most constrained environments.
-
-- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-- **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-- **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-
-
-### User Account Control: Behavior of the elevation prompt for standard users
-
-The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users.
-
-The options are:
-
-- **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for credentials.** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
-### User Account Control: Detect application installations and prompt for elevation
-
-The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
-
-The options are:
-
-- **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
-
-### User Account Control: Only elevate executables that are signed and validated
-
-The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
-
-The options are:
-
-- **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run.
-- **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
-
-### User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-
-- ...\\Program Files, including subfolders
-- ...\\Windows\\system32
-- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
-
-**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-The options are:
-
-- **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
-- **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
-
-### User Account Control: Run all administrators in Admin Approval Mode
-
-The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-The options are:
-
-- **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
-- **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
-
-**Note** If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
-
-### User Account Control: Switch to the secure desktop when prompting for elevation
-
-The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
-
-The options are:
-
-- **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-- **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
-
-When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
-
-| Administrator policy setting | Enabled | Disabled |
-| - | - | - |
-| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-
-When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
-
-| Standard policy setting | Enabled | Disabled |
-| - | - | - |
-| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
-| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-
-### User Account Control: Virtualize file and registry write failures to per-user locations
-
-The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
-
-The options are:
-
-- **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
-- **Disabled.** Applications that write data to protected locations fail.
-
-## Registry key settings
-
-The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description.
-
-| Registry key | Group Policy setting | Registry setting |
-| - | - | - |
-| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
1 = Enabled |
-| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
1 = Enabled |
-| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
|
-| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials |
-| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
0 = Disabled (default for enterprise) |
-| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled
1 = Enabled |
-| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled
1 (Default) = Enabled |
-| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled
1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
1 (Default) = Enabled |
-| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled
1 (Default) = Enabled |
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
deleted file mode 100644
index b3db8ed5ef..0000000000
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: User Account Control overview
-description: Learn about User Account Control (UAC) and how it helps preventing malware from damaging a device and helps organizations deploy a better-managed desktop.
-ms.collection:
- - highpri
- - tier2
-ms.topic: conceptual
-ms.date: 05/18/2023
----
-
-# User Account Control overview
-
-User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-
-UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
-
-Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
-
-When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
-
-[!INCLUDE [user-account-control-uac](../../../../includes/licensing/user-account-control-uac.md)]
-
-## Practical applications
-
-Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
-
-## Next steps
-
-Learn more about UAC and how to configure it for your organization.
-
-| Topic | Description |
-| - | - |
-| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
-| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. |
-
\ No newline at end of file
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
deleted file mode 100644
index c2f4f1019a..0000000000
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: User Account Control security policy settings
-description: You can use security policies to configure how User Account Control works in your organization.
-ms.topic: article
-ms.date: 09/24/2021
----
-
-# User Account Control security policy settings
-
-You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
-
-## User Account Control: Admin Approval Mode for the Built-in Administrator account
-
-This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
-
-- **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
-- **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop
-
-This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-
-- **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-- **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
-
-## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
-This policy setting controls the behavior of the elevation prompt for administrators.
-
-- **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
-
- >**Note:** Use this option only in the most constrained environments.
-
-- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-- **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-- **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-- **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-
-## User Account Control: Behavior of the elevation prompt for standard users
-
-This policy setting controls the behavior of the elevation prompt for standard users.
-
-- **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
-## User Account Control: Detect application installations and prompt for elevation
-
-This policy setting controls the behavior of application installation detection for the computer.
-
-- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Disabled** App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Intune should disable this policy setting. In this case, installer detection is unnecessary.
-
-## User Account Control: Only elevate executable files that are signed and validated
-
-This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
-
-- **Enabled** Enforces the certificate certification path validation for a given executable file before it's permitted to run.
-- **Disabled** (Default) Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
-
-## User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:
-
-- …\\Program Files\\, including subfolders
-- …\\Windows\\system32\\
-- …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
-
->**Note:** Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-- **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
-- **Disabled** An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
-
-## User Account Control: Turn on Admin Approval Mode
-
-This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-- **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately. They'll allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
-- **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
-
-## User Account Control: Switch to the secure desktop when prompting for elevation
-
-This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
-
-- **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-- **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
-
-## User Account Control: Virtualize file and registry write failures to per-user locations
-
-This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
-
-- **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry.
-- **Disabled** Apps that write data to protected locations fail.
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 5cbde2e21f..c90399660a 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -7,7 +7,7 @@ ms.date: 03/31/2023
# Windows Credential Theft Mitigation Guide Abstract
-This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
+This article provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
- Identify high-value assets
@@ -51,7 +51,7 @@ Many other countermeasures are also covered, such as using Microsoft Passport an
## Detecting credential attacks
-This sections covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
+This section covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
## Responding to suspicious activity
diff --git a/windows/security/includes/sections/application-application-control-overview.md b/windows/security/includes/sections/application-application-control-overview.md
new file mode 100644
index 0000000000..00b89b3535
--- /dev/null
+++ b/windows/security/includes/sections/application-application-control-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Control features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Control features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application-application-isolation-overview.md b/windows/security/includes/sections/application-application-isolation-overview.md
new file mode 100644
index 0000000000..ff7f030ea9
--- /dev/null
+++ b/windows/security/includes/sections/application-application-isolation-overview.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Isolation features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|❌|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Isolation features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|Yes|Yes|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
new file mode 100644
index 0000000000..3f730cfd2e
--- /dev/null
+++ b/windows/security/includes/sections/application.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Application Control
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
+| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.
Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
+
+## Application Isolation
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
+| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
+| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
+| **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
+| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
diff --git a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
new file mode 100644
index 0000000000..ecd8d4c9c6
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services-update-overview.md b/windows/security/includes/sections/cloud-services-update-overview.md
new file mode 100644
index 0000000000..b20a97756d
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services-update-overview.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Update features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Update features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
new file mode 100644
index 0000000000..defd2bea71
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Protecting Your Work Information
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.
With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
+| **[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
+| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a
Microsoft hosted cloud subscription service that supports a zero-trust security model by
enabling network isolation of printers, including the Universal Print connector software, from
the rest of the organization's resources. |
+
+## Update
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.
The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
+| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
new file mode 100644
index 0000000000..f1f16ade3e
--- /dev/null
+++ b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
new file mode 100644
index 0000000000..b6c18f1b62
--- /dev/null
+++ b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
new file mode 100644
index 0000000000..7488c5606c
--- /dev/null
+++ b/windows/security/includes/sections/hardware.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Hardware Root-Of-Trust
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
+| **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.
Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
+| **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.
In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
+
+## Silicon Assisted Security (Secured Kernel)
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
+| **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
diff --git a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
new file mode 100644
index 0000000000..c8f646fb31
--- /dev/null
+++ b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
new file mode 100644
index 0000000000..c2666f968d
--- /dev/null
+++ b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
new file mode 100644
index 0000000000..b31aaf1ca9
--- /dev/null
+++ b/windows/security/includes/sections/identity.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Passwordless Sign In
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in.
Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.
For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
+| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
+
+## Advanced Credential Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
+| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-data-protection-overview.md b/windows/security/includes/sections/operating-system-data-protection-overview.md
new file mode 100644
index 0000000000..68b64731f3
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-data-protection-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Data Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Data Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-modern-device-management-overview.md b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
new file mode 100644
index 0000000000..b43f14f6ef
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Modern Device Management features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Modern Device Management features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-network-security-overview.md b/windows/security/includes/sections/operating-system-network-security-overview.md
new file mode 100644
index 0000000000..95b71a85f8
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-network-security-overview.md
@@ -0,0 +1,36 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Network Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Network Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-system-security-overview.md b/windows/security/includes/sections/operating-system-system-security-overview.md
new file mode 100644
index 0000000000..426c265aca
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-system-security-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all System Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all System Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
new file mode 100644
index 0000000000..4853fdc620
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
@@ -0,0 +1,34 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes|
diff --git a/windows/security/includes/sections/operating-system.md b/windows/security/includes/sections/operating-system.md
new file mode 100644
index 0000000000..9cc73a7b96
--- /dev/null
+++ b/windows/security/includes/sections/operating-system.md
@@ -0,0 +1,61 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## System Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
+| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+
+## Virus And Threat Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
+| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.
LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
+| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.
Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
+| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
+| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
+| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
+| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
+
+## Network Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
+| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
+| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
+| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
+| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
+| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
+| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.
SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
+
+## Data Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD. |
+| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+
+## Modern Device Management
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
diff --git a/windows/security/includes/sections/privacy.md b/windows/security/includes/sections/privacy.md
new file mode 100644
index 0000000000..cb5118754a
--- /dev/null
+++ b/windows/security/includes/sections/privacy.md
@@ -0,0 +1,6 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
diff --git a/windows/security/includes/sections/security-foundations-certification-overview.md b/windows/security/includes/sections/security-foundations-certification-overview.md
new file mode 100644
index 0000000000..78601c07dd
--- /dev/null
+++ b/windows/security/includes/sections/security-foundations-certification-overview.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Certification features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Certification features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
new file mode 100644
index 0000000000..8c3cd14c92
--- /dev/null
+++ b/windows/security/includes/sections/security-foundations.md
@@ -0,0 +1,13 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Certification
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 535f5f269a..b2bf33a31a 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -57,13 +57,13 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: operating-system.md
+ url: operating-system-security/index.md
- linkListType: concept
links:
- - text: System security
- url: trusted-boot.md
+ - text: Trusted boot
+ url: operating-system-security\system-security\trusted-boot.md
- text: Encryption and data protection
- url: encryption-data-protection.md
+ url: operating-system-security/data-protection/index.md
- text: Windows security baselines
url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide
@@ -80,7 +80,7 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: apps.md
+ url: application-security/index.md
- linkListType: concept
links:
- text: Application Control and virtualization-based protection
@@ -92,7 +92,7 @@ landingContent:
- text: Windows Sandbox
url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md
- text: Microsoft Defender SmartScreen
- url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+ url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md
- text: S/MIME for Windows
url: identity-protection/configure-s-mime.md
# Cards and links should be based on top customer tasks or top subjects
@@ -125,10 +125,6 @@ landingContent:
# Card (optional)
- title: Cloud services
linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: cloud.md
- linkListType: concept
links:
- text: Mobile device management
@@ -140,7 +136,7 @@ landingContent:
- text: OneDrive
url: /onedrive/onedrive
- text: Family safety
- url: threat-protection/windows-defender-security-center/wdsc-family-options.md
+ url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
index f051acac9f..2389e3b4da 100644
--- a/windows/security/introduction/index.md
+++ b/windows/security/introduction/index.md
@@ -34,7 +34,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
### Robust application security and privacy controls
@@ -54,4 +54,4 @@ Microsoft offers comprehensive cloud services for identity, storage, and access
To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
-[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
\ No newline at end of file
+[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index 9ed2b2769e..423a4e624a 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,16 +1,8 @@
---
title: BCD settings and BitLocker
description: This article for IT professionals describes the BCD settings that are used by BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Boot Configuration Data settings and BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
similarity index 96%
rename from windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
index daa9cba013..cbaff88935 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -1,26 +1,14 @@
### YamlMime:FAQ
metadata:
- title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
+ title: BitLocker and Active Directory Domain Services (AD DS) FAQ
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
sections:
- name: Ignored
@@ -53,7 +41,7 @@ sections:
> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
-
+
- question: |
Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
answer: |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
index 3518062515..52cc2816b8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,26 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker basic deployment
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
## Using BitLocker to encrypt volumes
@@ -466,4 +452,4 @@ Disable-BitLocker -MountPoint E:,F:,G:
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
similarity index 95%
rename from windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
index df0af1d002..98b5a376c9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
@@ -1,26 +1,12 @@
---
-title: BitLocker Countermeasures
+title: BitLocker Countermeasures
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker Countermeasures
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
@@ -45,7 +31,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
@@ -62,7 +48,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid
### Pre-boot authentication
-Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
+Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
@@ -70,11 +56,11 @@ Pre-boot authentication is designed to prevent the encryption keys from being lo
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
-- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
+- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
-- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
@@ -86,11 +72,11 @@ Pre-boot authentication with a PIN can mitigate an attack vector for devices tha
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
-To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
+To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
### Protecting Thunderbolt and other DMA ports
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
+There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
@@ -112,7 +98,7 @@ For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mi
## Attack countermeasures
-This section covers countermeasures for specific types of attacks.
+This section covers countermeasures for specific types of attacks.
### Bootkits and rootkits
@@ -142,7 +128,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
### Tricking BitLocker to pass the key to a rogue operating system
An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
-
+
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
## Attacker countermeasures
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
similarity index 96%
rename from windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
index dbea4c718a..ccabad03a1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@@ -1,22 +1,11 @@
### YamlMime:FAQ
metadata:
- title: BitLocker deployment and administration FAQ (Windows 10)
+ title: BitLocker deployment and administration FAQ
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
sections:
- name: Ignored
questions:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
index 99d7101e23..3521e9e447 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -1,25 +1,12 @@
---
title: BitLocker deployment comparison
description: This article shows the BitLocker deployment comparison chart.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker deployment comparison
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article depicts the BitLocker deployment comparison chart.
## BitLocker deployment comparison chart
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index c0f495b8a6..4b8a48c1a0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -1,29 +1,16 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# Overview of BitLocker Device Encryption in Windows
+# Overview of BitLocker device encryption
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles.
+This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles.
When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
@@ -31,7 +18,6 @@ When users travel, their organization's confidential data goes with them. Wherev
The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
-
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
similarity index 75%
rename from windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 4f7256eadb..04759a9566 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -2,25 +2,13 @@
metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
- This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
+summary: This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.yml)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
index b14f859b9a..6045481279 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1,35 +1,21 @@
---
title: BitLocker Group Policy settings
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker group policy settings
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
> [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
@@ -233,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
@@ -452,7 +438,7 @@ When set to **Do not allow complexity**, no password complexity validation is do
> [!NOTE]
> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Validate smart card certificate usage rule compliance
@@ -1306,7 +1292,7 @@ The optional recovery key can be saved to a USB drive. Because recovery password
The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
## Power management group policy settings: Sleep and Hibernate
@@ -1338,5 +1324,5 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
similarity index 65%
rename from windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 9d743637c9..fd3c652f3a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -1,57 +1,32 @@
---
-title: BitLocker How to deploy on Windows Server 2012 and later
-description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
+title: BitLocker How to deploy on Windows Server
+description: This article for the IT professional explains how to deploy BitLocker and Windows Server
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# BitLocker: How to deploy on Windows Server 2012 and later
+# BitLocker: How to deploy on Windows Server
-**Applies to:**
-
-- Windows Server 2012
-- Windows Server 2012 R2
-- Windows Server 2016 and above
-
-This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
+This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
## Installing BitLocker
### To install BitLocker using server manager
-1. Open server manager by selecting the server manager icon or running servermanager.exe.
-
-2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-
-3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-
-4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-
-5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-
-6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
-
+1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
+1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
+1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
+1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
+1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
+1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
> [!NOTE]
> Server roles and features are installed by using the same wizard in Server Manager.
-
-7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**.
-
+1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
> [!NOTE]
> The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-
-8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
-
-9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-
-10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
+1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
### To install BitLocker using Windows PowerShell
@@ -64,7 +39,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
-By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
+By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
```powershell
Install-WindowsFeature BitLocker -WhatIf
@@ -72,7 +47,7 @@ Install-WindowsFeature BitLocker -WhatIf
The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
-To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
+To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
@@ -88,7 +63,7 @@ The result of this command displays the following list of all the administration
- AD DS Tools
- AD DS and AD LDS Tools
-The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
+The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
@@ -99,13 +74,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
### Using the dism module to install BitLocker
-The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
+The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
```powershell
Get-WindowsOptionalFeature -Online | ft
```
-From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
+From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
To install BitLocker using the `dism.exe` module, use the following command:
@@ -121,7 +96,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 442be0541b..921c5ebcfa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -1,26 +1,12 @@
---
title: BitLocker - How to enable Network Unlock
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: How to enable Network Unlock
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes how BitLocker Network Unlock works and how to configure it.
Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
@@ -462,6 +448,6 @@ Follow these steps to configure Network Unlock on these older systems.
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
index ad23cc6714..848e842daf 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
@@ -2,21 +2,10 @@
metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker Key Management FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
+summary: |
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
similarity index 93%
rename from windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
index 8f46db3e99..491df0d342 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -1,24 +1,17 @@
---
title: BitLocker management
description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker management
The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
-Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
+Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
-[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-management.md)]
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
## Managing domain-joined computers and moving to cloud
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
similarity index 87%
rename from windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
index 9683743787..5a67c2a310 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -2,22 +2,10 @@
metadata:
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.reviewer:
- ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
- **Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
similarity index 94%
rename from windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 3243fdb178..732e5e9c03 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -2,24 +2,13 @@
metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
+summary: |
sections:
- name: Ignored
@@ -39,7 +28,7 @@ sections:
- question: What are the BitLocker hardware and software requirements?
answer: |
- For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
+ For requirements, see [System requirements](index.md#system-requirements).
> [!NOTE]
> Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 39eb80e0aa..d5eb6c6c36 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,29 +1,15 @@
---
title: BitLocker recovery guide
description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rafals
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
---
# BitLocker recovery guide
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
@@ -990,4 +976,4 @@ End Function
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
similarity index 92%
rename from windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
index 8b53e2e639..90f7723f1e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
@@ -2,23 +2,10 @@
metadata:
title: BitLocker Security FAQ
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-
sections:
- name: Ignored
questions:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
similarity index 82%
rename from windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
index c780b6ee5a..2b386d9937 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
@@ -2,20 +2,10 @@
metadata:
title: BitLocker To Go FAQ
description: "Learn more about BitLocker To Go"
- ms.prod: windows-client
- ms.technology: itpro-security
- ms.author: frankroj
- author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker To Go FAQ
-summary: |
- **Applies to:**
- - Windows 10
-
+summary: |
sections:
- name: Ignored
@@ -28,7 +18,7 @@ sections:
- SD cards
- External hard disk drives
- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
-
+
Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
similarity index 93%
rename from windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
index 13441d1f58..fba3beff7f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
@@ -2,21 +2,10 @@
metadata:
title: BitLocker Upgrading FAQ
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
- ms.reviewer:
- ms.custom: bitlocker
title: BitLocker Upgrading FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
+summary: |
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index 9e538c4fef..393549ec10 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,29 +1,15 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker
description: This article for the IT professional describes how to use tools to manage BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional describes how to use tools to manage BitLocker.
BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
@@ -246,7 +232,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
similarity index 94%
rename from windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index e96cf15557..9698ad0735 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -1,19 +1,11 @@
---
title: BitLocker Use BitLocker Recovery Password Viewer
description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: Use BitLocker Recovery Password Viewer
@@ -66,7 +58,7 @@ By completing the procedures in this scenario, the recovery passwords for a comp
## Related articles
-- [BitLocker Overview](bitlocker-overview.md)
+- [BitLocker Overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
index 4d0267a25a..92834f11e6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@@ -2,19 +2,10 @@
metadata:
title: Using BitLocker with other programs FAQ
description: Learn how to integrate BitLocker with other software on a device.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
title: Using BitLocker with other programs FAQ
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-narrator.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-narrator.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-password-hint1.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-password-hint2.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/kernel-dma-protection.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
diff --git a/windows/security/information-protection/bitlocker/images/manage-bde-status.png b/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/manage-bde-status.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
diff --git a/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example1.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example2.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example3.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example3.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example4.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example4.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example5.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example5.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/yes-icon.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
similarity index 96%
rename from windows/security/information-protection/bitlocker/bitlocker-overview.md
rename to windows/security/operating-system-security/data-protection/bitlocker/index.md
index 9f04e173a3..31b4e00f59 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -1,32 +1,17 @@
---
-title: BitLocker
+title: BitLocker overview
description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# BitLocker
-
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+# BitLocker overview
This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-## BitLocker overview
-
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
@@ -48,7 +33,7 @@ There are two additional tools in the Remote Server Administration Tools that ca
- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
-[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-enablement.md)]
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
## System requirements
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
rename to windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 415ebdab44..49e91e44d0 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -1,26 +1,12 @@
---
title: Prepare the organization for BitLocker Planning and policies
description: This article for the IT professional explains how can to plan for a BitLocker deployment.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Prepare an organization for BitLocker: Planning and policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional explains how to plan BitLocker deployment.
When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems.
@@ -199,9 +185,7 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate
## Related articles
-- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
-- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-- [BitLocker](bitlocker-overview.md)
+- [BitLocker](index.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker basic deployment](bitlocker-basic-deployment.md)
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 14934b6ab3..fd2168f6bb 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,16 +1,8 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Protecting cluster shared volumes and storage area networks with BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
new file mode 100644
index 0000000000..1e5a30d744
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
@@ -0,0 +1,74 @@
+items:
+- name: Overview
+ href: index.md
+- name: BitLocker device encryption
+ href: bitlocker-device-encryption-overview-windows-10.md
+- name: BitLocker frequently asked questions (FAQ)
+ href: bitlocker-frequently-asked-questions.yml
+ items:
+ - name: Overview and requirements
+ href: bitlocker-overview-and-requirements-faq.yml
+ - name: Upgrading
+ href: bitlocker-upgrading-faq.yml
+ - name: Deployment and administration
+ href: bitlocker-deployment-and-administration-faq.yml
+ - name: Key management
+ href: bitlocker-key-management-faq.yml
+ - name: BitLocker To Go
+ href: bitlocker-to-go-faq.yml
+ - name: Active Directory Domain Services
+ href: bitlocker-and-adds-faq.yml
+ - name: Security
+ href: bitlocker-security-faq.yml
+ - name: BitLocker Network Unlock
+ href: bitlocker-network-unlock-faq.yml
+ - name: General
+ href: bitlocker-using-with-other-programs-faq.yml
+- name: "Prepare your organization for BitLocker: Planning and policies"
+ href: prepare-your-organization-for-bitlocker-planning-and-policies.md
+- name: BitLocker deployment comparison
+ href: bitlocker-deployment-comparison.md
+- name: BitLocker basic deployment
+ href: bitlocker-basic-deployment.md
+- name: Deploy BitLocker on Windows Server 2012 and later
+ href: bitlocker-how-to-deploy-on-windows-server.md
+- name: BitLocker management
+ href: bitlocker-management-for-enterprises.md
+- name: Enable Network Unlock with BitLocker
+ href: bitlocker-how-to-enable-network-unlock.md
+- name: Use BitLocker Drive Encryption Tools to manage BitLocker
+ href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+- name: Use BitLocker Recovery Password Viewer
+ href: bitlocker-use-bitlocker-recovery-password-viewer.md
+- name: BitLocker Group Policy settings
+ href: bitlocker-group-policy-settings.md
+- name: BCD settings and BitLocker
+ href: bcd-settings-and-bitlocker.md
+- name: BitLocker Recovery Guide
+ href: bitlocker-recovery-guide-plan.md
+- name: BitLocker Countermeasures
+ href: bitlocker-countermeasures.md
+- name: Protecting cluster shared volumes and storage area networks with BitLocker
+ href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+- name: Troubleshoot BitLocker
+ items:
+ - name: Troubleshoot BitLocker 🔗
+ href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
+ - name: "BitLocker cannot encrypt a drive: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
+ - name: "Enforcing BitLocker policies by using Intune: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
+ - name: "BitLocker Network Unlock: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
+ - name: "BitLocker recovery: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
+ - name: "BitLocker configuration: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
+ - name: Troubleshoot BitLocker and TPM issues
+ items:
+ - name: "BitLocker cannot encrypt a drive: known TPM issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
+ - name: "BitLocker and TPM: other known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
+ - name: Decode Measured Boot logs to track PCR changes 🔗
+ href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md
new file mode 100644
index 0000000000..4d5e976fde
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md
@@ -0,0 +1,71 @@
+---
+title: Configure S/MIME for Windows
+description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
+ms.topic: how-to
+ms.date: 05/31/2023
+---
+
+
+# Configure S/MIME for Windows
+
+Secure/Multipurpose Internet Mail Extensions (S/MIME) provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME enables users to encrypt outgoing messages and attachments so that only intended recipients can read them. To read the messages, recipients must have a digital identification (ID), also known as a certificate.\
+Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
+
+## Message encryption
+
+Users can send encrypted message to recipients that have an encryption certificate.\
+Users can only read encrypted messages if the message is received on their Exchange account, and they have corresponding decryption keys.
+
+Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate isn't available, the app prompts you to remove these recipients before sending the email.
+
+## Digital signatures
+
+A digitally signed message reassures the recipient that the message hasn't been tampered with, and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
+
+[!INCLUDE [email-encryption-smime](../../../../includes/licensing/email-encryption-smime.md)]
+
+## Prerequisites
+
+- [S/MIME is enabled for Exchange accounts](/exchange/security-and-compliance/smime-exo/smime-exo) (on-premises and Exchange Online). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com
+- Valid Personal Information Exchange (PFX) certificates are installed on the device
+ - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
+ - [Use certificates for authentication in Microsoft Intune](/mem/intune/protect/certificates-configure)
+
+## Choose S/MIME settings
+
+On the device, perform the following steps: (add select certificate)
+
+1. Open the Mail app
+1. Open **Settings > Email security**
+ :::image type="content" alt-text="Screenshot of the Windows Mail app, security settings." source="images/email-security.png":::
+1. In **Select an account**, select the account for which you want to configure S/MIME options
+1. Make a certificate selection for digital signature and encryption
+ - Select **Automatically** to let the app choose the certificate
+ - Select **Manually** to specify the certificate yourself from the list of valid certificates on the device
+1. (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages
+
+ > [!NOTE]
+ > The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
+
+1. Select the back arrow
+
+## Encrypt or sign individual messages
+
+1. While composing a message, select **Options** from the ribbon
+1. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message
+
+ :::image type="content" alt-text="Screenshot of the Windows Mail app, showing the options to sign or encrypt message." source="images/sign-encrypt.png":::
+
+## Read signed or encrypted messages
+
+When you receive an encrypted message, the mail app checks whether there's a certificate available on your computer. If there's a certificate available, the message is decrypted when you open it. If your certificate is stored on a smartcard, you'll be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
+
+## Install certificates from a received message
+
+When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
+
+1. Open a signed email
+1. Select the digital signature icon in the reading pane
+1. Select **Install.**
+
+ :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
similarity index 96%
rename from windows/security/information-protection/encrypted-hard-drive.md
rename to windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
index bb2fc98a8e..42e381d999 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
@@ -1,27 +1,12 @@
---
title: Encrypted Hard Drive
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
-ms.reviewer:
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
ms.date: 11/08/2022
-ms.technology: itpro-security
ms.topic: conceptual
---
# Encrypted Hard Drive
-*Applies to:*
-
-- Windows 10
-- Windows 11
-- Windows Server 2022
-- Windows Server 2019
-- Windows Server 2016
-- Azure Stack HCI
-
Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
@@ -48,7 +33,7 @@ Encrypted hard drives are supported natively in the operating system through the
If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
-[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
+[!INCLUDE [encrypted-hard-drive](../../../../includes/licensing/encrypted-hard-drive.md)]
## System Requirements
diff --git a/windows/security/operating-system-security/data-protection/images/email-security.png b/windows/security/operating-system-security/data-protection/images/email-security.png
new file mode 100644
index 0000000000..f8157ef180
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/images/email-security.png differ
diff --git a/windows/security/identity-protection/images/installcert.png b/windows/security/operating-system-security/data-protection/images/install-cert.png
similarity index 100%
rename from windows/security/identity-protection/images/installcert.png
rename to windows/security/operating-system-security/data-protection/images/install-cert.png
diff --git a/windows/security/identity-protection/images/signencrypt.png b/windows/security/operating-system-security/data-protection/images/sign-encrypt.png
similarity index 100%
rename from windows/security/identity-protection/images/signencrypt.png
rename to windows/security/operating-system-security/data-protection/images/sign-encrypt.png
diff --git a/windows/security/encryption-data-protection.md b/windows/security/operating-system-security/data-protection/index.md
similarity index 85%
rename from windows/security/encryption-data-protection.md
rename to windows/security/operating-system-security/data-protection/index.md
index 781c1f164d..b180e2ff7a 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/operating-system-security/data-protection/index.md
@@ -1,13 +1,8 @@
---
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: overview
ms.date: 09/22/2022
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: rafals
---
@@ -45,10 +40,10 @@ Windows consistently improves data protection by improving existing options and
(*Applies to: Windows 11, version 22H2 and later*)
-[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
+[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)]
## See also
-- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
-- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
-- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
+- [Encrypted Hard Drive](encrypted-hard-drive.md)
+- [BitLocker](bitlocker/index.md)
+- [Personal Data Encryption (PDE)](personal-data-encryption/index.md)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
similarity index 55%
rename from windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
index 3aa684f0c2..fe2fb5b3e9 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -1,14 +1,7 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -21,21 +14,17 @@ The various required and recommended policies needed for Personal Data Encryptio
## Required prerequisites
-1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md)
-
-1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md)
+1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
## Security hardening recommendations
-1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md)
-
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md)
-
-1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md)
-
-1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md)
+1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+1. [Disable hibernation](intune-disable-hibernation.md)
+1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## See also
-- [Personal Data Encryption (PDE)](overview-pde.md)
+- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
similarity index 91%
rename from windows/security/information-protection/personal-data-encryption/faq-pde.yml
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
index 01ba4b7b8e..0429e74204 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
@@ -3,19 +3,9 @@
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
- author: frankroj
- ms.author: frankroj
- ms.reviewer: rhonnegowda
- manager: aaroncz
ms.topic: faq
- ms.prod: windows-client
- ms.technology: itpro-security
- ms.localizationpriority: medium
ms.date: 03/13/2023
-# Max 5963468 OS 32516487
-# Max 6946251
-
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
Here are some answers to common questions regarding Personal Data Encryption (PDE)
@@ -65,7 +55,7 @@ sections:
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
@@ -77,6 +67,6 @@ sections:
additionalContent: |
## See also
- - [Personal Data Encryption (PDE)](overview-pde.md)
+ - [Personal Data Encryption (PDE)](index.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
similarity index 70%
rename from windows/security/information-protection/personal-data-encryption/includes/pde-description.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
index 1d6d83ff6c..b34908147d 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
@@ -1,22 +1,14 @@
---
-title: Personal Data Encryption (PDE) description
-description: Personal Data Encryption (PDE) description include file
-
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: include
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
+
+PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
similarity index 90%
rename from windows/security/information-protection/personal-data-encryption/overview-pde.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index c7efa3d342..6538f524ec 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -1,44 +1,30 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
-
-
-
# Personal Data Encryption (PDE)
-**Applies to:**
-
-- Windows 11, version 22H2 and later Enterprise and Education editions
-
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
-[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
+[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## Prerequisites
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md).
-- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
+- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@@ -46,15 +32,15 @@ ms.date: 03/13/2023
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
- Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md).
+ Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
- Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md).
+ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md).
+ Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
@@ -76,11 +62,11 @@ ms.date: 03/13/2023
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
- For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md).
+ For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
### Highly recommended
-- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
+- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
@@ -88,7 +74,7 @@ ms.date: 03/13/2023
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
@@ -137,7 +123,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md).
+For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
## Differences between PDE and BitLocker
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
similarity index 65%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
index 9781fb82d7..9fda445c43 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
@@ -1,15 +1,8 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.date: 03/13/2023
+ms.date: 06/01/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
@@ -20,81 +13,51 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal
To disable ARSO using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Templates**.
-
- 1. When the templates appear, under **Template name**, select **Administrative templates**.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Templates**
+ 1. When the templates appear, under **Template name**, select **Administrative templates**
1. Select **Create** to close the **Create profile** window.
-
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable ARSO**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Disable ARSO**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. On the left pane of the page, make sure **Computer Configuration** is selected.
-
- 1. Under **Setting name**, scroll down and select **Windows Components**.
-
- 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option.
-
- 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**.
-
- 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**.
-
- 1. Select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. On the left pane of the page, make sure **Computer Configuration** is selected
+ 1. Under **Setting name**, scroll down and select **Windows Components**
+ 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
+ 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
+ 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+ 1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
similarity index 60%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
index 19a5b9498e..ef18936b1b 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
@@ -1,14 +1,7 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -20,79 +13,50 @@ Hibernation files can potentially cause the keys used by Personal Data Encryptio
To disable hibernation using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable Hibernation**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. select **Add settings**.
-
+ 1. select **Add settings**
1. In the **Settings picker** window that opens:
-
- 1. Under **Browse by category**, scroll down and select **Power**.
-
- 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option.
-
- 1. Select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. Under **Browse by category**, scroll down and select **Power**
+ 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
+ 1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
similarity index 67%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
index b9ab18802e..66a238e3c9 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
@@ -1,14 +1,7 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -20,77 +13,49 @@ Kernel-mode crash dumps and live dumps can potentially cause the keys used by Pe
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**.
-
+ 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. Select **Add settings**.
-
+ 1. Select **Add settings**
1. In the **Settings picker** window that opens:
-
- 1. Under **Browse by category**, scroll down and select **Memory Dump**.
-
- 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. Under **Browse by category**, scroll down and select **Memory Dump**
+ 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
similarity index 68%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
index d61d11a19c..4cf442e308 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
@@ -1,14 +1,7 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -17,18 +10,12 @@ ms.date: 03/13/2023
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
-
- - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
- - A password is required immediately after the screen turns off.
-
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
+ - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
+ - A password is required immediately after the screen turns off
+ The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
- Workgroup devices, including Azure AD joined devices:
-
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
+ - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
+ - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
@@ -36,83 +23,54 @@ Because of this undesired outcome, it's recommended to explicitly disable this p
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**.
-
- 1. Next to **Description**, enter a description.
-
+ 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
+ 1. Next to **Description**, enter a description
1. Select **Next**.
1. In the **Configuration settings** page:
-
- 1. Select **Add settings**.
-
+ 1. Select **Add settings**
1. In the **Settings picker** window that opens:
+ 1. Under **Browse by category**, expand **Administrative Templates**
+ 1. Under **Administrative Templates**, scroll down and expand **System**
+ 1. Under **System**, scroll down and select **Logon**
+ 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
+ 1. select **Next**
- 1. Under **Browse by category**, expand **Administrative Templates**.
-
- 1. Under **Administrative Templates**, scroll down and expand **System**.
-
- 1. Under **System**, scroll down and select **Logon**.
-
- 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**.
-
- 1. select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
similarity index 64%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
index f4a795887a..39fe957317 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
@@ -1,14 +1,7 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -20,83 +13,52 @@ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode cras
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. Select **Add settings**.
-
+ 1. Select **Add settings**
1. In the **Settings picker** window that opens:
-
- 1. Under **Browse by category**, expand **Administrative Templates**.
-
- 1. Under **Administrative Templates**, scroll down and expand **Windows Components**.
-
- 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it.
-
- 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option.
-
- 1. Select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. Under **Browse by category**, expand **Administrative Templates**
+ 1. Under **Administrative Templates**, scroll down and expand **Windows Components**
+ 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
+ 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
+ 1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
similarity index 62%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
index ac064684ca..795504237c 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
@@ -1,14 +1,7 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -24,89 +17,54 @@ By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Templates**.
-
- 1. When the templates appears, under **Template name**, select **Custom**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Templates**
+ 1. When the templates appears, under **Template name**, select **Custom**
+ 1. Select **Create** to close the **Create profile** window
1. The **Custom** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Personal Data Encryption**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In **Configuration settings** page:
-
- 1. Next to **OMA-URI Settings**, select **Add**.
-
+ 1. Next to **OMA-URI Settings**, select **Add**
1. In the **Add Row** window that opens:
-
- 1. Next to **Name**, enter **Personal Data Encryption**.
-
- 1. Next to **Description**, enter a description.
-
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 1. Next to **Description**, enter a description
1. Next to **OMA-URI**, enter in:
-
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-
- 1. Next to **Data type**, select **Integer**.
-
- 1. Next to **Value**, enter in **1**.
-
- 1. Select **Save** to close the **Add Row** window.
-
- 1. Select **Next**.
-
+ 1. Next to **Data type**, select **Integer**
+ 1. Next to **Value**, enter in **1**
+ 1. Select **Save** to close the **Add Row** window
+ 1. Select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Applicability Rules**, configure if necessary and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Applicability Rules**, configure if necessary and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
-
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
new file mode 100644
index 0000000000..0bb7c66820
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -0,0 +1,19 @@
+items:
+- name: Overview
+ href: index.md
+- name: Configure PDE with Intune
+ href: configure-pde-in-intune.md
+- name: Enable Personal Data Encryption (PDE)
+ href: intune-enable-pde.md
+- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
+ href: intune-disable-arso.md
+- name: Disable kernel-mode crash dumps and live dumps for PDE
+ href: intune-disable-memory-dumps.md
+- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+ href: intune-disable-wer.md
+- name: Disable hibernation for PDE
+ href: intune-disable-hibernation.md
+- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
+ href: intune-disable-password-connected-standby.md
+- name: PDE frequently asked questions (FAQ)
+ href: faq-pde.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
index 89647a44e4..18c78e5665 100644
--- a/windows/security/operating-system-security/data-protection/toc.yml
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -1,106 +1,14 @@
items:
- name: Overview
- href: ../../encryption-data-protection.md
+ href: index.md
- name: BitLocker
- href: ../../information-protection/bitlocker/bitlocker-overview.md
- items:
- - name: Overview of BitLocker Device Encryption in Windows
- href: ../../information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- - name: BitLocker frequently asked questions (FAQ)
- href: ../../information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
- items:
- - name: Overview and requirements
- href: ../../information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
- - name: Upgrading
- href: ../../information-protection/bitlocker/bitlocker-upgrading-faq.yml
- - name: Deployment and administration
- href: ../../information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
- - name: Key management
- href: ../../information-protection/bitlocker/bitlocker-key-management-faq.yml
- - name: BitLocker To Go
- href: ../../information-protection/bitlocker/bitlocker-to-go-faq.yml
- - name: Active Directory Domain Services
- href: ../../information-protection/bitlocker/bitlocker-and-adds-faq.yml
- - name: Security
- href: ../../information-protection/bitlocker/bitlocker-security-faq.yml
- - name: BitLocker Network Unlock
- href: ../../information-protection/bitlocker/bitlocker-network-unlock-faq.yml
- - name: General
- href: ../../information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
- - name: "Prepare your organization for BitLocker: Planning and policies"
- href: ../../information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
- - name: BitLocker deployment comparison
- href: ../../information-protection/bitlocker/bitlocker-deployment-comparison.md
- - name: BitLocker basic deployment
- href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md
- - name: Deploy BitLocker on Windows Server 2012 and later
- href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
- - name: BitLocker management
- href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md
- - name: Enable Network Unlock with BitLocker
- href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
- - name: Use BitLocker Drive Encryption Tools to manage BitLocker
- href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
- - name: Use BitLocker Recovery Password Viewer
- href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
- - name: BitLocker Group Policy settings
- href: ../../information-protection/bitlocker/bitlocker-group-policy-settings.md
- - name: BCD settings and BitLocker
- href: ../../information-protection/bitlocker/bcd-settings-and-bitlocker.md
- - name: BitLocker Recovery Guide
- href: ../../information-protection/bitlocker/bitlocker-recovery-guide-plan.md
- - name: BitLocker Countermeasures
- href: ../../information-protection/bitlocker/bitlocker-countermeasures.md
- - name: Protecting cluster shared volumes and storage area networks with BitLocker
- href: ../../information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- - name: Troubleshoot BitLocker
- items:
- - name: Troubleshoot BitLocker
- href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- - name: "BitLocker cannot encrypt a drive: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- - name: "Enforcing BitLocker policies by using Intune: known issues"
- href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- - name: "BitLocker Network Unlock: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- - name: "BitLocker recovery: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- - name: "BitLocker configuration: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- - name: Troubleshoot BitLocker and TPM issues
- items:
- - name: "BitLocker cannot encrypt a drive: known TPM issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- - name: "BitLocker and TPM: other known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- - name: Decode Measured Boot logs to track PCR changes
- href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
+ href: bitlocker/toc.yml
- name: Encrypted Hard Drive
- href: ../../information-protection/encrypted-hard-drive.md
+ href: encrypted-hard-drive.md
- name: Personal Data Encryption (PDE)
- items:
- - name: Personal Data Encryption (PDE) overview
- href: ../../information-protection/personal-data-encryption/overview-pde.md
- - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
- href: ../../information-protection/personal-data-encryption/faq-pde.yml
- - name: Configure Personal Data Encryption (PDE) in Intune
- items:
- - name: Configure Personal Data Encryption (PDE) in Intune
- href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md
- - name: Enable Personal Data Encryption (PDE)
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
- - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
- - name: Disable kernel-mode crash dumps and live dumps for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
- - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
- - name: Disable hibernation for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
- - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
+ href: personal-data-encryption/toc.yml
- name: Configure S/MIME for Windows
- href: ../../identity-protection/configure-s-mime.md
+ href: configure-s-mime.md
- name: Windows Information Protection (WIP)
href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
items:
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
new file mode 100644
index 0000000000..7787d87aa3
--- /dev/null
+++ b/windows/security/operating-system-security/index.md
@@ -0,0 +1,16 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.date: 09/21/2021
+ms.topic: article
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
+
+Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
+
+[!INCLUDE [operating-system-security](../includes/sections/operating-system.md)]
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 3dca76e27e..85ac1b4e02 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -7,7 +7,7 @@ ms.topic: conceptual
# VPN and conditional access
-The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
>[!NOTE]
>Conditional Access is an Azure AD Premium feature.
@@ -16,8 +16,8 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
-- [Windows Health Attestation Service](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
-- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
+- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
@@ -79,19 +79,20 @@ When a VPNv2 Profile is configured with \
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.
Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
-Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.
Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).
|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
-| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.
Learn more about [Encryption](encryption-data-protection.md).
-| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).
|
-| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.
Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
-| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.
Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).
|
-| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.
Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).
-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).
Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.
Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
-| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.
Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
-| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.
In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.
Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
-| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.
Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
-| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
-| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.
Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
-
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index eb76f1d581..14cccd81d4 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -83,7 +83,7 @@ This subcategory allows you to audit events generated by changes to security gro
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
-- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
diff --git a/windows/security/threat-protection/images/community.png b/windows/security/threat-protection/images/community.png
deleted file mode 100644
index 8d99720c6e..0000000000
Binary files a/windows/security/threat-protection/images/community.png and /dev/null differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index dfaa642ba7..83cd0757b5 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -12,13 +12,7 @@ ms.date: 12/31/2017
# Windows threat protection
-**Applies to:**
-- Windows 10
-- Windows 11
-
-In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud.
-
-## Windows threat protection
+In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud.
See the following articles to learn more about the different areas of Windows threat protection:
@@ -28,15 +22,16 @@ See the following articles to learn more about the different areas of Windows th
- [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)
- [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)
- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
+- [Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
- [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
-### Next-generation protection
-Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time.
+## Next-generation protection
+
+Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time.
- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
- [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index c72345df1e..29afee340a 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Mitigate threats by using Windows 10 security features
+title: Mitigate threats by using Windows 10 security features
description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
ms.prod: windows-client
ms.localizationpriority: medium
@@ -84,7 +84,7 @@ Windows Defender SmartScreen notifies users if they click on reported phishing a
For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
-For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
+For more information, see [Microsoft Defender SmartScreen overview](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/).
### Microsoft Defender Antivirus
@@ -124,7 +124,7 @@ Data Execution Prevention (DEP) does exactly that, by substantially reducing the
5. Click **OK**.
-You can now see which processes have DEP enabled.
+You can now see which processes have DEP enabled.
@@ -296,7 +296,7 @@ Some of the protections available in Windows 10 are provided through functions t
| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] |
| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] |
-## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
+## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore haven't been brought into Windows 10.
@@ -322,7 +322,7 @@ One of EMET's strengths is that it allows you to import and export configuration
Install-Module -Name ProcessMitigations
```
-The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file.
+The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file.
To get the current settings on all running instances of notepad.exe:
@@ -377,7 +377,7 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath
AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the “allowlist mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
+|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the "allowlist mode" such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
Internet zone|AppLocker supports three types of rules:
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|
+|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as "Allow everything from Windows except for Regedit.exe".|
|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index a06323374d..050d675248 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -1,17 +1,12 @@
---
-title: Display a custom URL message when users try to run a blocked app
+title: Display a custom URL message when users try to run a blocked app
description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
ms.reviewer:
ms.author: vinpa
-ms.pagetype: security
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Display a custom URL message when users try to run a blocked app
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals describes the steps for displaying a customized
With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed.
-To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To display a custom URL message when users try to run a blocked app**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 46473d9aea..641ee98a64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: DLL rules in AppLocker
+title: DLL rules in AppLocker
description: This topic describes the file formats and available default rules for the DLL rule collection.
-ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# DLL rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 23268ed540..a99df09d89 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,30 +1,19 @@
---
-title: Document Group Policy structure & AppLocker rule enforcement
+title: Document Group Policy structure & AppLocker rule enforcement
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
-ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
-ms.pagetype: security
ms.date: 09/21/2017
ms.technology: itpro-security
---
# Document the Group Policy structure and AppLocker rule enforcement
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -49,13 +38,10 @@ The following table includes the sample data that was collected when you determi
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||
-||||Internet Explorer 7|C:\Program Files\Internet Explorer
Emergency: Request through help desk|Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required| |Human Resources|Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR
30-day notice required|
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 5aa365b37a..06168d1e9a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -1,17 +1,12 @@
---
-title: Refresh an AppLocker policy
+title: Refresh an AppLocker policy
description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
-ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Refresh an AppLocker policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -36,7 +25,7 @@ To use Group Policy to distribute the AppLocker policy change, you need to retri
[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
-To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To manually refresh the AppLocker policy by using Group Policy**
@@ -65,6 +54,6 @@ To make the same change on another device, you can use any of the following meth
- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
- >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
-
+ >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+
- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 5df2060dbd..40579e3963 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Requirements for deploying AppLocker policies
+title: Requirements for deploying AppLocker policies
description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
-ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Requirements for deploying AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 23c6363413..47b2d12aba 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,17 +1,12 @@
---
-title: Requirements to use AppLocker
+title: Requirements to use AppLocker
description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
-ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Requirements to use AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -47,21 +36,21 @@ The following table shows the Windows versions on which AppLocker features are s
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019: