Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-6737992-shared-pc

store-for-business/acquire-apps-microsoft-store-for-business.md

@@ -11,6 +11,8 @@ manager: scotv
 ms.reviewer: 
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

store-for-business/add-unsigned-app-to-code-integrity-policy.md

@@ -12,6 +12,8 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

store-for-business/index.md

@@ -11,6 +11,8 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: high
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

store-for-business/microsoft-store-for-business-overview.md

@@ -12,6 +12,8 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -12,6 +12,8 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

store-for-business/roles-and-permissions-microsoft-store-for-business.md

@@ -13,6 +13,8 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

store-for-business/sign-up-microsoft-store-for-business-overview.md

@@ -12,6 +12,8 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.collection:
+- scotvorg
 ms.date: 07/21/2021
 ---
 

windows/deployment/update/media-dynamic-update.md

@@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio
 Write-Output "$(Get-TS): Mounting WinRE"
 Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
 
-# Add servicing stack update
+# Add servicing stack update (Step 1 from the table)
 
-# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
+# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
+# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
+# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
+# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
+# combined cumulative update can be installed. 
 
-# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# This error should be caught and ignored, as the last step will be to apply the cumulative update 
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
-# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
 
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Now, attempt the combined cumulative update.
+# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should 
+# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct 
+# packages installed.
 
 try
 {
-    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null  
 }
 Catch
 {
@@ -221,6 +228,13 @@ Catch
     }
 }
 
+# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+
 #
 # Optional: Add the language to recovery environment
 #
@@ -301,21 +315,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
     Write-Output "$(Get-TS): Mounting WinPE"
     Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
 
-    # Add SSU
+    # Add servicing stack update (Step 9 from the table)
 
-    # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+    # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-    # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+    # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
+    # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
+    # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
+    # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
+    # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
+    # combined cumulative update can be installed. 
 
-    # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+    # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+
+    # Now, attempt the combined cumulative update.
     # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
     # This error should be caught and ignored, as the last step will be to apply the cumulative update 
     # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
 
-    Write-Output "$(Get-TS): Adding package $SSU_PATH"
-    
     try
     {
-        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null  
     }
     Catch
     {
@@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
         }
     }
 
+    # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
+    # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+    # update. This second approach is commented out below.
+
+    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null 
+
     # Install lp.cab cab
     Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
@@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t
 # update Main OS
 #
 
-# Add servicing stack update
+# Add servicing stack update (Step 18 from the table)
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, 
+# and installed first before the combined cumulative update can be installed. 
+
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
+
+# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+Write-Output "$(Get-TS): Adding package $LCU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null  
+
+# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
 
 # Optional: Add language to main OS
 Write-Output "$(Get-TS): Adding package $OS_LP_PATH"

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md

@@ -14,7 +14,7 @@ author: jgeurten
 ms.reviewer: aaroncz
 ms.author: dansimp
 manager: dansimp
-ms.date: 10/06/2022
+ms.date: 10/07/2022
 ---
 
 # Microsoft recommended driver block rules
@@ -2173,11 +2173,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
         <String>10.0.25210.0</String>
       </Value>
     </Setting>
-    <Setting Provider="PolicyInfo" Key="NoRevalidationUponRefresh" ValueName="NoRevalidationUponRefreshValue">
-      <Value>
-        <Boolean>true</Boolean>
-      </Value>
-    </Setting>
   </Settings>
   <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
 </SiPolicy>
@@ -2198,6 +2193,14 @@ If you prefer to apply the vulnerable driver blocklist exactly as shown above, f
 4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
 5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
 
+To check that the policy was successfully applied on your computer:
+
+1. Open Event Viewer
+2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
+3. Select **Filter Current Log...**
+4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK
+5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
+
 > [!NOTE]
 > If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.