The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| -| Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | +| Service-based deployment ring | Default Autopatch group deployment ring | Default device balancing percentage | Description | +| ----- | ----- | ----- | ----- | +| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| +| Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| +| N/A | Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | ## Software update-based to service-based deployment ring mapping diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 71ba52fc37..cb52061c41 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 05/05/2023 +ms.date: 07/25/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -10,12 +10,12 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 --- -# Manage Windows Autopatch groups (public preview) - -> [!IMPORTANT] -> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s pre-communicated to your end-users.
| If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is pre-configured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group pre-configured and fully managed by the Windows Autopatch service.
| +| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s precommunicated to your end-users.
| If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is preconfigured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.
| :::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png"::: @@ -211,7 +211,7 @@ The following are three common uses for using Autopatch groups. | Scenario | Solution | | ----- | ----- | -| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units, for example, the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and subsequently for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
| +| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
| :::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png"::: @@ -240,12 +240,9 @@ Autopatch groups works with the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) - [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) -> [!IMPORTANT] -> [Microsoft Edge](../operate/windows-autopatch-edge.md) and [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) are supported through the (classic) service-based deployment rings. Other software update workloads aren’t currently supported. - ### Maximum number of Autopatch groups -Windows Autopatch will support up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings. +Windows Autopatch supports up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings. > [!TIP] > If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index 076f04ca7b..eb2f5d26d5 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 --- # Post-device registration readiness checks (public preview) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 55ddc49938..a2734bb584 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 05/01/2023 +ms.date: 07/25/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 --- # Register your devices @@ -20,49 +23,21 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: -- Windows quality updates - - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md) - - [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) -- Windows feature updates - - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-feature-update-overview.md) - - [Classic experience](../operate/windows-autopatch-windows-feature-update-overview.md) -- The following software update workloads use the Classic experience: - - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) - - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) - - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) +- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) +- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) +- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) +- [Microsoft Edge updates](../operate/windows-autopatch-edge.md) +- [Microsoft Teams updates](../operate/windows-autopatch-teams.md) -### About the use of an Azure AD group to register devices +### Windows Autopatch groups device registration -Windows Autopatch provides two methods of registering devices with its service, the [Classic](#classic-device-registration-method) and the Autopatch groups device registration method. - -#### Classic device registration method - -This method is intended to help organizations that don’t require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to register devices. - -You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: - -- Direct membership -- Nesting other Azure AD dynamic/assigned groups -- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members) - -Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. - -You can also use the **Discover devices** button in either the Registered or Not ready tab to register devices on demand. The **Discover devices** button scans for devices to be registered in the **Windows Autopatch Device Registration** or any other Azure AD group used with either the Default or Custom Autopatch groups. - -#### Windows Autopatch groups device registration method - -> [!IMPORTANT] -> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.
| | Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| +> [!NOTE] +> Global releases don't show up in the Windows feature updates release management blade. + #### Policy configuration values See the following table on how Windows Autopatch configures the values for its global Windows feature update policy. If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md index fc177682b7..da80289277 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md @@ -1,7 +1,7 @@ --- title: Feature update status report description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. -ms.date: 05/01/2023 +ms.date: 07/25/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -10,12 +10,12 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 --- -# Feature update status report (public preview) - -> [!IMPORTANT] -> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| +| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| ## Windows Autopatch configurations Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. -## Windows Autopatch tenant actions +## Windows Autopatch tenant management -The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**. +### Windows Autopatch tenant actions + +The Tenant management blade presents IT admins with any actions that are required to maintain Windows Autopatch service health. The **Tenant management** blade can be found by navigating to **Tenant administration** > **Windows Autopatch** > **Tenant management**. > [!IMPORTANT] -> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../overview/windows-autopatch-privacy.md#service-accounts), your Global admin must go to the Tenant management blade to approve the configuration change. +> If you have any critical actions in your tenant, you must take action as soon as possible as the Windows Autopatch service might not be able to manage your tenant. When a critical action is active on your tenant, Windows Autopatch will consider your tenant as **[inactive](#inactive-status)**. The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed. @@ -45,4 +50,30 @@ The type of banner that appears depends on the severity of the action. Currently | Severity | Description | | ----- | ----- | -| Critical | You must take action as soon as possible. If no action is taken, the Windows Autopatch service may be affected. | +| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service may be marked as **inactive**.
To restore service health and return to an active status, all critical pending actions must be resolved.
| + +### Critical actions + +| Action type | Severity | Description | +| ----- | ----- | ----- | +| Maintain tenant access | Critical | Required licenses have expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| +| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can’t manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| + +### Inactive status + +> [!NOTE] +> Only the Windows Autopatch sections of your tenant will be marked as **inactive**. + +When Windows Autopatch is **inactive**, you're alerted with banners on all Windows Autopatch blades. You only have access to the Tenant management and Support requests blades. All other blades return an error message and redirect you to Tenant management blade. + +To be taken out of the **inactive** status, you must [resolve any critical actions shown in the Tenant management blade](#critical-actions). + +> [!NOTE] +> Once critical actions are resolved, it can take up to two hours for Windows Autopatch to return to an **active** state. + +#### Impact to your tenant + +| Impact area | Description | +| ----- | ----- | +| Management | Windows Autopatch isn’t able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).
| +| Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md new file mode 100644 index 0000000000..e0298e93f1 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md @@ -0,0 +1,65 @@ +--- +title: Manage driver and firmware updates +description: This article explains how you can manage driver and firmware updates with Windows Autopatch +ms.date: 07/04/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 +--- + +# Manage driver and firmware updates (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback. + +You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment. + +> [!TIP] +> Windows Autopatch's driver and firmware update management is based on [Intune’s driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates. + +## Automatic and Self-managed modes + +Switching the toggle between Automatic and Self-managed modes creates driver profiles on a per-ring basis within your tenant. + +| Modes | Description | +| ----- | -----| +| Automatic | We recommend using **Automatic** mode.Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.
| +| Self-managed | When you use the the **Self-managed** mode for drivers and firmware, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.
The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.
| + +## Set driver and firmware updates to Automatic or Self-managed mode + +**To set driver and firmware updates to Automatic or Self-managed mode:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings**. +1. In the **Windows Driver Updates** section, read and accept the agreement. +1. Select either **Automatic** or **Self-managed**. + +## View driver and firmware policies created by Windows Autopatch + +**To view driver and firmware policies created by Windows Autopatch:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Driver updates for Windows 10 and later**. +1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**. + +The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table: + +| Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays | +| ----- | ----- | ----- | ----- | ----- | +| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [Test/First/Fast/Broad] | Driver Update Policy for device Test/First/Fast/Broad group | Automatic | `0` | + +> [!NOTE] +> In public preview, the DeploymentDeferralInDays setting is set to `0` for all deployment rings. + +## Feedback and support + +If you need support with this feature, and have enrolled your tenant into Windows Autopatch, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 43d2a3e596..06e2e12c09 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates -ms.date: 03/10/2023 +ms.date: 06/23/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Microsoft 365 Apps for enterprise @@ -38,9 +41,9 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates (both ## Update release schedule -All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN). +All devices registered for Windows Autopatch receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN). -Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](../references/windows-autopatch-microsoft-365-policies.md) that specifies how long the user has until the user must apply the update. ## Deployment rings @@ -78,7 +81,7 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro ## Allow or block Microsoft 365 App updates -For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch won't provide Microsoft 365 App updates on your behalf, and your organizations will have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). +For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). **To allow or block Microsoft 365 App updates:** @@ -117,12 +120,12 @@ For organizations seeking greater control, you can allow or block Microsoft 365 [Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting. -A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. +A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it's ineligible for Microsoft 365 App update management. However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. ## Incidents and outages -If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. +If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident is raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md index 8e4b4794f4..d998b1df2c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -1,7 +1,7 @@ --- title: policy health and remediation description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service -ms.date: 05/01/2023 +ms.date: 07/25/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -10,12 +10,12 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: rekhanr +ms.collection: + - highpri + - tier1 --- -# Policy health and remediation (public preview) - -> [!IMPORTANT] -> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback. +# Policy health and remediation Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service. @@ -58,7 +58,7 @@ The minimum role required to restore configurations is **Intune Service Administ There will be an alert for each policy that is missing or has deviated from the service defined values. -## Restore Windows update policies +## Restore Windows Update policies **To initiate remediation actions for Windows quality update policies:** @@ -80,19 +80,14 @@ There will be an alert for each policy that is missing or has deviated from the ## Restore deployment groups -**To initiate remediation action for missing groups:** +Windows Autopatch will automatically restore any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups. -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant administration** > **Tenant management** > **Actions**. -1. Select **Restore missing group** to launch the workflow. -1. Review the message and select **Restore group**. +If policies are misconfigured or unassigned, admins must restore them. In the Release management blade, the service will raise a Policy error workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade. -When a missing deployment group is restored, the policies will be reassigned back to the deployment groups. In the Release management blade, the service will raise a Policy Error that you'll need to complete to repair Windows Update policies. Due to the asynchronous run of service detectors, it may take up to four (4) hours for this error to be displayed. +Due to the asynchronous run of service detectors, it might take up to four (4) hours for this error to be displayed. > [!NOTE] -> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.Alerts will remain active until an IT admin completes the action to restore them to a healthy state.
- -There are no Autopatch reports for policy alerts and actions at this time. +> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.Alerts will remain active until an IT admin completes the action to restore them to a healthy state.
There are no Autopatch reports for policy alerts and actions at this time.
## Use audit logs to track actions in Microsoft Intune diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 29e95ec21f..690e61a507 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Submit a support request diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md index b348eca592..5c0649bc8e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Microsoft Teams diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 8a69ef3f78..1269f66d0f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Unenroll your tenant diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md deleted file mode 100644 index 3c850cf312..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Software update management -description: This article provides an overview of how updates are handled in Autopatch -ms.date: 08/08/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: overview -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: andredm7 ---- - -# Software update management - -Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. - -## Software update workloads - -| Software update workload | Description | -| ----- | ----- | -| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md). | -| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-windows-feature-update-overview.md). -| Anti-virus definition | Updated with each scan. | -| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). | -| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | -| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | - -## Windows Autopatch deployment rings - -During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: - -| Ring | Description | -| ----- | ----- | -| **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.| -| **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.| -| **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. | -| **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. | - -Each deployment ring has a different set of update deployment policies to control the updates rollout. - -> [!WARNING] -> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - -> [!IMPORTANT] -> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. - -Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. - -> [!NOTE] -> You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. - -### Deployment ring calculation logic - -The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows: - -- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. -- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. - -| Deployment ring | Default device balancing percentage | Description | -| ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| - -## Moving devices in between deployment rings - -If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab. - -**To move devices in between deployment rings:** - -1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. -2. In the **Windows Autopatch** section, select **Devices**. -3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. -4. Select **Device actions** from the menu. -5. Select **Assign device to ring**. A fly-in opens. -6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. - -When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. - -> [!NOTE] -> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - -> [!WARNING] -> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. - -## Automated deployment ring remediation functions - -Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - -- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). - -There are two automated deployment ring remediation functions: - -| Function | Description | -| ----- | ----- | -| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). | -| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.| - -> [!IMPORTANT] -> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md deleted file mode 100644 index cdbcde747d..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Windows feature update end user experience -description: This article explains the Windows feature update end user experience -ms.date: 07/11/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: hathind ---- - -# Windows feature update end user experience - -Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours. - -## User notifications - -In this section we'll review what an end user would see in the following three scenarios: - -1. Typical update experience -2. Feature update deadline forces an update -3. Feature update grace period - -> [!NOTE] -> Windows Autopatch doesn't yet support feature updates without notifying end users.
The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.
- -### Typical update experience - -In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: - -1. Restart immediately to install the updates. -2. Schedule the installation. -3. Snooze (the device will attempt to install outside of active hours). - -In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. - -:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png"::: - -### Feature update deadline forces an update - -The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours. - -The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. - -:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png"::: - -### Feature update grace period - -In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on. - -The grace period to install the update and restart depends on the deployment ring the device is assigned to: - -| Deployment ring | Grace period (in days) | -| ----- | ----- | -| Test | Zero days | -| First | Two days | -| Fast | Two days | -| Broad | Two days | - -The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification. - -:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: - -## Servicing window - -Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies: - -| Policy | Description | -| ----- | ----- | -| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. | -| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | - -> [!IMPORTANT] -> Both policies must be deployed for them to work as expected. - -A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible. - -> [!IMPORTANT] -> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management:Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.
- -## Test Windows 11 feature updates - -You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: - -| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | -| ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | - -> [!IMPORTANT] -> Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.
- -## Manage Windows feature update deployments - -Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). - -Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. - -## Release management - -> [!NOTE] -> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). - -### Pausing and resuming a release - -> [!CAUTION] -> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). - -> [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
- -**To pause or resume a Windows feature update:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Windows Autopatch** section, select **Release management**. -4. In the **Release management** blade, select either: **Pause** or **Resume**. -5. Select the update type you would like to pause or resume. -6. Select a reason from the dropdown menu. -7. Optional. Enter details about why you're pausing or resuming the selected update. -8. If you're resuming an update, you can select one or more deployment rings. -9. Select **Okay**. - -If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. - -> [!NOTE] -> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. - -## Rollback - -Windows Autopatch doesn’t support the rollback of Windows feature updates. - -> [!CAUTION] -> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). - -## Contact support - -If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md deleted file mode 100644 index f48428da15..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: All devices report—historical -description: Provides a visual representation of the update status trend for all devices over the last 90 days. -ms.date: 12/01/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: adnich ---- - -# All devices report—historical - -The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days. - -**To view the historical All devices report:** - -1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. -1. Select the **Reports** tab. -1. Select **All devices report—historical**. - -:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png"::: - -> [!NOTE] -> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. - -## Report options - -The following options are available: - -| Option | Description | -| ----- | ----- | -| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | -| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | - -For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md deleted file mode 100644 index a89b5943b8..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: All devices report -description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. -ms.date: 12/01/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: adnich ---- - -# All devices report - -The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices. - -**To view the All devices report:** - -1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. -1. Select the **Reports** tab. -1. Select **All devices report**. - -:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png"::: - -> [!NOTE] -> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page. - -## Report information - -The following information is available in the All devices report: - -| Column name | Description | -| ----- | ----- | -| Device name | The name of the device. | -| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. | -| Serial number | The current Intune recorded serial number for the device. | -| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | -| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)). | -| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)) | -| OS version | The current version of Windows installed on the device. | -| OS revision | The current revision of Windows installed on the device. | -| Intune last check in time | The last time the device checked in to Intune. | - -## Report options - -The following options are available: - -| Option | Description | -| ----- | ----- | -| Search | Use to search by device name, Azure AD device ID or serial number | -| Sort | Select the **column headings** to sort the report data in ascending and descending order. | -| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | -| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md deleted file mode 100644 index f715f1bba8..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Windows quality update communications -description: This article explains Windows quality update communications -ms.date: 03/30/2023 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: hathind ---- - -# Windows quality update communications - -There are three categories of communication that are sent out during a Windows quality and feature update: - -- [Standard communications](#standard-communications) -- [Communications during release](#communications-during-release) -- [Incident communications](#incident-communications) - -Communications are posted to, as appropriate for the type of communication, to the: - -- Message center -- Service health dashboard -- Windows Autopatch messages section of the Microsoft Intune admin center - -:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png"::: - -## Standard communications - -| Communication | Location | Timing | Description | -| ----- | ----- | ----- | ----- | -| Release schedule |First
Fast
Broad | 0
1
6
9 | 0
2
2
5 | 0
2
2
2 | -| Expedited release | All devices | 0 | 1 | 1 | - -> [!IMPORTANT] -> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates). - -#### Turn off service-driven expedited quality update releases - -Windows Autopatch provides the option to turn off of service-driven expedited quality updates. - -By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune. - -**To turn off service-driven expedited quality updates:** - -1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. -2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. - -> [!NOTE] -> Windows Autopatch doesn't allow customers to request expedited releases. - -### Out of Band releases - -Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. - -**To view deployed Out of Band quality updates:** - -1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. -2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. - -> [!NOTE] -> Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. - -### Pausing and resuming a release - -> [!CAUTION] -> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). - -The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. - -If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release. - -> [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.
For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
- -**To pause or resume a Windows quality update:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Windows Autopatch** section, select **Release management**. -4. In the **Release management** blade, select either: **Pause** or **Resume**. -5. Select the update type you would like to pause or resume. -6. Select a reason from the dropdown menu. -7. Optional. Enter details about why you're pausing or resuming the selected update. -8. If you're resuming an update, you can select one or more deployment rings. -9. Select **Okay**. - -The three following statuses are associated with paused quality updates: - -| Status | Description | -| ----- | ------ | -| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. | -| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. | -| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. | - -## Remediating Ineligible and/or Not up to Date devices - -To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md deleted file mode 100644 index c3ea51727d..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Windows quality update reports -description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch -ms.date: 12/01/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: adnich ---- - -# Windows quality update reports - -The Windows quality update reports provide you information about: - -- Quality update device eligibility -- Device update health -- Device update trends - -Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. - -The report types are organized into the following focus areas: - -| Focus area | Description | -| ----- | ----- | -| Operational detail |For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.
- -The Scheduled install cadence has two options: - -| Option | Description | -| ----- | ----- | -| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.
-| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.
| - -> [!NOTE] -> Changes made in one deployment ring won't impact other rings in your tenant.Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.
- -### User notifications - -In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings: - -- Not configured -- Use the default Windows Update notifications -- Turn off all notifications excluding restart warnings -- Turn off all notifications including restart warnings - -For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings). - -## Customize the Windows Update deployment cadence - -> [!IMPORTANT] -> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
- -**To customize the Windows Update deployment cadence:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Customize Windows Update cadence (preview)**. The page lists the existing settings for each of the rings in the tenant. -3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings. -4. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings. - 1. Select one of the cadence types for the ring: - 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default". - 1. Select **Scheduled install** to opt-out of deadline-based forced restart. - 1. Select either **Active hours** or **Schedule install and restart time**. - 2. Select **Save**. -5. Select **Manage notifications**. A fly-in pane opens. - 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications. - 1. Not configured - 1. Use the default Windows Update notifications - 1. Turn off all notifications excluding restart warnings - 1. Turn off all notifications included restart warnings - 1. Select **Save** once you select the preferred setting. -6. Repeat the same process to customize each of the rings. Once done, select **Next**. -7. In **Review + apply**, you’ll be able to review the selected settings for each of the rings. -8. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 7eaead607a..66e6fd2e1d 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: windows-client ms.topic: faq - ms.date: 05/04/2023 + ms.date: 07/19/2023 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -31,10 +31,10 @@ sections: Autopatch isn't available for 'A' or 'F' series licensing. - question: Will Windows Autopatch support local domain join Windows 10? answer: | - Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - question: Will Windows Autopatch be available for state and local government customers? answer: | - Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. + Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported. - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service? answer: | Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index c515617ae7..a071f7e68d 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -1,7 +1,7 @@ --- title: What is Windows Autopatch? description: Details what the service is and shortcuts to articles. -ms.date: 07/11/2022 +ms.date: 07/11/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -11,7 +11,7 @@ ms.author: tiaraquan manager: dougeby ms.collection: - highpri - - tier2 + - tier1 ms.reviewer: hathind --- @@ -23,14 +23,14 @@ Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today: -- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices. -- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration. -- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value. +- **Close the security gap**: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices. +- **Close the productivity gap**: Windows Autopatch adopts features as they're made available. End users get the latest tools to amplify their collaboration and work. +- **Optimize your IT admin resources**: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value. - **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud. -- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started. -- **Minimize end user disruption**: By releasing in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized. +- **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started. +- **Minimize end user disruption**: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized. -Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks. +Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks. ## Update management @@ -44,11 +44,11 @@ The goal of Windows Autopatch is to deliver software updates to registered devic | [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | | [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | -For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area. +For each management area, there's a set of eligibility requirements that determine if the device receives that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area. To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance. -While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service. +Windows Autopatch monitors in-progress updates. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service. ## Messages @@ -62,10 +62,10 @@ Microsoft remains committed to the security of your data and the [accessibility] | Area | Description | | ----- | ----- | -| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:You can complete enrollment, but you must fix these issues before you deploy your first device. | -| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | | Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | ## Step 3: Fix issues with your tenant @@ -86,11 +89,11 @@ Once the Readiness assessment tool provides you with a "Ready" result, you're re **To enroll your tenant:** -Within the Readiness assessment tool, you'll now see the **Enroll** button. By selecting **Enroll**, you'll kick off the enrollment of your tenant to the Windows Autopatch service. During the enrollment workflow, you'll see the following: +Within the Readiness assessment tool, you can see the **Enroll** button. By selecting **Enroll**, you start the enrollment process of your tenant into the Windows Autopatch service. During the enrollment workflow, you see the following: - Consent workflow to manage your tenant. - Provide Windows Autopatch with IT admin contacts. -- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service. +- Setup of the Windows Autopatch service on your tenant. This step is where we create the policies, groups and accounts necessary to run the service. Once these actions are complete, you've now successfully enrolled your tenant. @@ -101,7 +104,7 @@ Once these actions are complete, you've now successfully enrolled your tenant. You can choose to delete the data we collect directly within the Readiness assessment tool. -Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. +Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a deidentified form. > [!NOTE] > Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index c36d207090..6588ea5a13 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -10,6 +10,8 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - tier2 --- # Submit a tenant enrollment support request diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 413d997112..39f30591e9 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Fix issues found by the Readiness assessment tool @@ -21,13 +24,13 @@ Seeing issues with your tenant? This article details how to remediate issues fou ## Check results -For each check, the tool will report one of four possible results: +For each check, the tool reports one of four possible results: | Result | Meaning | | ----- | ----- | | Ready | No action is required before completing enrollment. | | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. | -| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | | Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. | > [!NOTE] @@ -43,7 +46,7 @@ Your "Update rings for Windows 10 or later" policy in Intune must not target any | Result | Meaning | | ----- | ----- | -| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch will also create our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we'll exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.
| +| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch creates our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.| ## Azure Active Directory settings diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 1808dd285c..90e7324a39 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Prerequisites diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index a1fd2c87e2..f0c9059f9c 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 01/24/2023 +ms.date: 06/23/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -10,6 +10,9 @@ author: tiaraquan ms.author: tiaraquan manager: dougeby ms.reviewer: hathind +ms.collection: + - highpri + - tier1 --- # Changes made at tenant enrollment @@ -63,7 +66,7 @@ The following groups target Windows Autopatch configurations to devices and mana | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPOAssigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Added the [Inactive status](../operate/windows-autopatch-maintain-environment.md#inactive-status) section
User performs operation requiring privilege|
If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.| +|
ShellExecute|
ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.| +|
CreateProcess|
If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.| + +### System + +|Component|Description| +|--- |--- | +|
Application Information service|
A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user may give consent.| +|
Elevating an ActiveX install|
If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.| +|
Check UAC slider level|
UAC has a slider to select from four levels of notification.
**Always notify** will:
Recommended if you often install new software or visit unfamiliar websites.
**Notify me only when programs try to make changes to my computer** will:
Recommended if you don't often install apps or visit unfamiliar websites.
**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:
Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.
**Never notify (Disable UAC prompts)** will:
Not recommended due to security concerns.| +|
Secure desktop enabled|
The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked:
If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.| +|
CreateProcess|
CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.| +|
AppCompat|
The AppCompat database stores information in the application compatibility fix entries for an application.| +|
Fusion|
The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.| +|
Installer detection|
Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.| + +### Kernel + +|Component|Description| +|--- |--- | +|
Virtualization|
Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.| +|
File system and registry|
The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
+
+The slider never turns off UAC completely. If you set it to **Never notify**, it will:
+
+- Keep the UAC service running
+- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt
+- Automatically deny all elevation requests for standard users
+
+> [!IMPORTANT]
+> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+
+> [!WARNING]
+> Some Universal Windows Platform apps may not work when UAC is disabled.
+
+### Virtualization
+
+Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
+
+Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
+
+Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
+
+Virtualization isn't an option in the following scenarios:
+
+- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
+- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
+- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
+
+### Request execution levels
+
+An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
+
+All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
+
+### Installer detection technology
+
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+
+Installer detection only applies to:
+
+- 32-bit executable files
+- Applications without a requested execution level attribute
+- Interactive processes running as a standard user with UAC enabled
+
+Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
+
+- The file name includes keywords such as "install," "setup," or "update."
+- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name
+- Keywords in the side-by-side manifest are embedded in the executable file
+- Keywords in specific StringTable entries are linked in the executable file
+- Key attributes in the resource script data are linked in the executable file
+- There are targeted sequences of bytes within the executable file
+
+> [!NOTE]
+> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+
+> [!NOTE]
+> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).
+
+## Next steps
+
+Learn more about [User Account Control settings and configuration](settings-and-configuration.md).
diff --git a/windows/security/identity-protection/user-account-control/images/uacarchitecture.gif b/windows/security/application-security/application-control/user-account-control/images/uac-architecture.gif
similarity index 100%
rename from windows/security/identity-protection/user-account-control/images/uacarchitecture.gif
rename to windows/security/application-security/application-control/user-account-control/images/uac-architecture.gif
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-consent-prompt-admin.png b/windows/security/application-security/application-control/user-account-control/images/uac-consent-prompt-admin.png
new file mode 100644
index 0000000000..3e5a5ae7bc
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-consent-prompt-admin.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-signed.png b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-signed.png
new file mode 100644
index 0000000000..c66349ec11
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-signed.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-unsigned.png b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-unsigned.png
new file mode 100644
index 0000000000..1d8074889f
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt-unsigned.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt.png b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt.png
new file mode 100644
index 0000000000..462b775fcb
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-credential-prompt.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-settings-catalog.png b/windows/security/application-security/application-control/user-account-control/images/uac-settings-catalog.png
new file mode 100644
index 0000000000..adbf9fb65e
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-settings-catalog.png differ
diff --git a/windows/security/application-security/application-control/user-account-control/images/uac-shield-icon.png b/windows/security/application-security/application-control/user-account-control/images/uac-shield-icon.png
new file mode 100644
index 0000000000..7336800e99
Binary files /dev/null and b/windows/security/application-security/application-control/user-account-control/images/uac-shield-icon.png differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacwindowslogonprocess.gif b/windows/security/application-security/application-control/user-account-control/images/uac-windows-logon-process.gif
similarity index 100%
rename from windows/security/identity-protection/user-account-control/images/uacwindowslogonprocess.gif
rename to windows/security/application-security/application-control/user-account-control/images/uac-windows-logon-process.gif
diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md
new file mode 100644
index 0000000000..d0f5b5db9d
--- /dev/null
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@@ -0,0 +1,36 @@
+---
+title: User Account Control
+description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
+ms.collection:
+ - highpri
+ - tier2
+ms.topic: conceptual
+ms.date: 05/24/2023
+---
+
+# User Account Control overview
+
+User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
+
+Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default, and you can configure it if you have administrative privileges.
+
+## Benefits of UAC
+
+UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.\
+Other applications, like ones that aren't designed with security settings in mind, may require more permissions to run successfully. These applications are referred to as *legacy apps*.
+
+When a user tries to perform an action that requires administrative privileges, UAC triggers a *consent prompt*. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:
+
+- If the user approves the change, the action is performed with the highest available privilege
+- If the user doesn't approve the change, the action isn't performed and the application that requested the change is prevented from running
+
+:::image type="content" source="images/uac-consent-prompt-admin.png" alt-text="Screenshot showing the UAC consent prompt.":::
+
+When an app requires to run with more than standard user rights, UAC allows users to run apps with their *administrator token* (that is, with administrative rights and permissions) instead of their default, standard user token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
+
+[!INCLUDE [user-account-control-uac](../../../../../includes/licensing/user-account-control-uac.md)]
+
+## Next steps
+
+- [How User Account Control works](how-it-works.md)
+- [User Account Control settings and configuration](settings-and-configuration.md)
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
new file mode 100644
index 0000000000..9fd23384ff
--- /dev/null
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -0,0 +1,102 @@
+---
+title: User Account Control settings and configuration
+description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
+ms.date: 05/26/2023
+ms.topic: how-to
+---
+
+# User Account Control settings and configuration
+
+## User Account Control settings list
+
+The following table lists the available settings to configure the UAC behavior, and their default values.
+
+|Setting name| Description|
+|-|-|
+|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.
**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.
**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.|
+|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.
**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.
**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
+|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
+|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.
**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.
**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
+|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.
**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
+|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.
**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
+|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.
**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.
**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
+|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:
- `%ProgramFiles%`, including subfolders
- `%SystemRoot%\system32\`
- `%ProgramFiles(x86)%`, including subfolders
**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
+|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.
**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
+|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.
**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.
**Disabled**: Apps that write data to protected locations fail.|
+
+## User Account Control configuration
+
+To configure UAC, you can use:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+The following instructions provide details how to configure your devices. Select the option that best suits your needs.
+
+
+#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Configure UAC with a Settings catalog policy
+
+To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
+
+:::image type="content" source="images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="images/uac-settings-catalog.png" border="True":::
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].\
+The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions`.
+
+|Setting|
+| - |
+| **Setting name**: Run all administrators in Admin Approval Mode
**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
+| **Setting name**: Admin Approval Mode for the built-in Administrator account
**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
+| **Setting name**: Switch to the secure desktop when prompting for elevation
**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
+| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode
**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
+| **Setting name**: Behavior of the elevation prompt for standard users
**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
+| **Setting name**: Detect application installations and prompt for elevation
**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
+| **Setting name**: Only elevate executables that are signed and validated
**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
+| **Setting name**: Only elevate UIAccess applications that are installed in secure locations
**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
+| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop
**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
+| **Setting name**: Virtualize file and registry write failures to per-user locations
**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
+
+#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy.
+
+The policy settings are located under: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`.
+
+| Group Policy setting |Default value|
+| - | - |
+|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
+|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
+|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
+|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
+|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
+|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)
Disabled (default) |
+|User Account Control: Only elevate executables that are signed and validated| Disabled |
+|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
+|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
+|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
+
+#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
+
+| Setting name | Registry key name | Value |
+| - | - | - |
+| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled
1 (Default) = Enabled |
+| Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled
1 = Enabled |
+| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled
1 (Default) = Enabled |
+| Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries|
+| Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials |
+| Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)
0 = Disabled (default) |
+| Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled
1 = Enabled |
+| Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled
1 (Default) = Enabled |
+| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled
1 = Enabled |
+| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled
1 (Default) = Enabled |
+
+[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[MEM-2]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
index ab8014b9a5..b8552a63ca 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
@@ -1,35 +1,17 @@
---
title: Testing and Debugging AppId Tagging Policies
description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/29/2022
-ms.technology: itpro-security
ms.topic: article
---
# Testing and Debugging AppId Tagging Policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
+After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
@@ -53,4 +35,4 @@ After verifying the policy has been deployed, the next step is to verify that th
Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
- 
\ No newline at end of file
+ 
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index bf48be5b8d..e8af7434cc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -1,25 +1,13 @@
---
title: Deploying Windows Defender Application Control AppId tagging policies
description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
-ms.prod: windows-client
ms.localizationpriority: medium
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/29/2022
-ms.technology: itpro-security
ms.topic: article
---
# Deploying Windows Defender Application Control AppId tagging policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and later
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
@@ -32,7 +20,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg
## Deploy AppId tagging policies with MDM
-Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId tagging policies with Configuration Manager
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
index 9bce0c01fd..9407cacded 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
@@ -1,43 +1,29 @@
---
title: Create your Windows Defender Application Control AppId Tagging Policies
description: Create your Windows Defender Application Control AppId tagging policies for Windows devices.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: jsuther1974
-ms.author: vinpa
-manager: aaroncz
ms.date: 04/29/2022
-ms.technology: itpro-security
ms.topic: article
---
# Creating your WDAC AppId Tagging Policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## Create the policy using the WDAC Wizard
-You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
+You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md).
1. Create a new base policy using the templates:
- Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The example below shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
+ Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
+
+ > [!NOTE]
+ > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates.
+ For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
2. Set the following rule-options using the Wizard toggles:
@@ -45,7 +31,7 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
3. Create custom rules:
- Selecting the `+ Custom Rules` button will open the Custom Rules panel. The Wizard supports five types of file rules:
+ Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
@@ -53,23 +39,22 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
- Package app name rules: Create a rule based off the package family name of an appx/msix.
- Hash rules: Create a rule based off the PE Authenticode hash of a file.
-
- For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../wdac-wizard-create-base-policy.md#creating-custom-file-rules).
+ For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/wdac-wizard-create-base-policy.md#creating-custom-file-rules).
4. Convert to AppId Tagging Policy:
- After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the usermode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
+ After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
- The policyID GUID will be returned by PowerShell if successful.
+ The policyID GUID is returned by the PowerShell command if successful.
## Create the policy using PowerShell
-Using this method, you'll create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
+Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md). In an elevate PowerShell instance:
-1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
+1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
```powershell
$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath
AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the “allowlist mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
+|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the "allowlist mode" such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
Internet zone|AppLocker supports three types of rules:
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|
+|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as "Allow everything from Windows except for Regedit.exe".|
|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index 8b93a5a341..4f50e071a2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -1,30 +1,13 @@
---
-title: Display a custom URL message when users try to run a blocked app (Windows)
+title: Display a custom URL message when users try to run a blocked app
description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
-ms.reviewer:
-ms.author: vinpa
-ms.pagetype: security
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Display a custom URL message when users try to run a blocked app
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +15,7 @@ This topic for IT professionals describes the steps for displaying a customized
With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed.
-To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To display a custom URL message when users try to run a blocked app**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
similarity index 81%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 4ef55c919d..39003c7034 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -1,30 +1,13 @@
---
-title: DLL rules in AppLocker (Windows)
+title: DLL rules in AppLocker
description: This topic describes the file formats and available default rules for the DLL rule collection.
-ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# DLL rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
similarity index 86%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 2ef4d45309..5206548f80 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,30 +1,13 @@
---
-title: Document Group Policy structure & AppLocker rule enforcement (Windows)
+title: Document Group Policy structure & AppLocker rule enforcement
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
-ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
-ms.pagetype: security
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Document the Group Policy structure and AppLocker rule enforcement
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -49,13 +32,10 @@ The following table includes the sample data that was collected when you determi
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||
-||||Internet Explorer 7|C:\Program Files\Internet Explorer
Emergency: Request through help desk|Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required| |Human Resources|Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR
30-day notice required|
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
similarity index 81%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 5deca1e65f..d4039c3443 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -1,30 +1,13 @@
---
-title: Refresh an AppLocker policy (Windows)
+title: Refresh an AppLocker policy
description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
-ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Refresh an AppLocker policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -36,7 +19,7 @@ To use Group Policy to distribute the AppLocker policy change, you need to retri
[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
-To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To manually refresh the AppLocker policy by using Group Policy**
@@ -65,6 +48,6 @@ To make the same change on another device, you can use any of the following meth
- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
- >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
-
+ >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+
- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
similarity index 92%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 3b4cf38cad..70a6f0b415 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -1,30 +1,13 @@
---
-title: Requirements for deploying AppLocker policies (Windows)
+title: Requirements for deploying AppLocker policies
description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
-ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Requirements for deploying AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
similarity index 54%
rename from windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
rename to windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 56ce82d42e..5d2b189772 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,30 +1,13 @@
---
-title: Requirements to use AppLocker (Windows)
+title: Requirements to use AppLocker
description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
-ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: itpro-security
---
# Requirements to use AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -47,21 +30,21 @@ The following table shows the Windows versions on which AppLocker features are s
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| |Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
-
## Application Guard support dialog settings
These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
similarity index 93%
rename from windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
index 4f5e1124a1..370243790a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -2,25 +2,15 @@
metadata:
title: FAQ - Microsoft Defender Application Guard (Windows 10)
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
- ms.mktglfcycl: manage
- ms.sitesec: library
- ms.pagetype: security
ms.localizationpriority: medium
- ms.prod: windows-client
- ms.technology: itpro-security
- author: vinaypamnani-msft
- ms.author: vinpa
- ms.reviewer:
- manager: aaroncz
- ms.custom: asr
ms.topic: faq
- ms.date: 12/31/2017
+ ms.date: 07/11/2023
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
-
+
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
-
+
## Frequently Asked Questions
sections:
@@ -30,34 +20,34 @@ sections:
Can I enable Application Guard on machines equipped with 4-GB RAM?
answer: |
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
-
+
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
-
+
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
-
+
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
-
+
- question: |
My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
answer: |
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
-
+
To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
-
+
- Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.”
- It must be an FQDN. A simple IP address won't work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
-
+
- question: |
How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
answer: |
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune.
-
+
- question: |
Which Input Method Editors (IME) in 19H1 aren't supported?
answer: |
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
-
+
- Vietnam Telex keyboard
- Vietnam number key-based keyboard
- Hindi phonetic keyboard
@@ -70,7 +60,7 @@ sections:
- Gujarati phonetic keyboard
- Odia phonetic keyboard
- Punjabi phonetic keyboard
-
+
- question: |
I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
answer: |
@@ -80,19 +70,19 @@ sections:
What is the WDAGUtilityAccount local account?
answer: |
WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
-
+
**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
-
+
- question: |
How do I trust a subdomain in my site list?
answer: |
To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted.
-
+
- question: |
Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
answer: |
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
-
+
- question: |
Is there a size limit to the domain lists that I need to configure?
answer: |
@@ -107,15 +97,15 @@ sections:
Why do the Network Isolation policies in Group Policy and CSP look different?
answer: |
There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-
+
- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
-
+
- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
-
+
- For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
-
+
Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-
+
- question: |
Why did Application Guard stop working after I turned off hyperthreading?
answer: |
@@ -130,70 +120,70 @@ sections:
Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
answer: |
This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-
- - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
- - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+
+ - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
+ - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
### First rule (DHCP Server)
- Program path: `%SystemRoot%\System32\svchost.exe`
-
+
- Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
-
+
- Protocol UDP
-
+
- Port 67
-
+
### Second rule (DHCP Client)
This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
-
+
1. Right-click on inbound rules, and then create a new rule.
-
+
2. Choose **custom rule**.
-
+
3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
-
+
4. Specify the following settings:
- Protocol Type: UDP
- Specific ports: 67
- Remote port: any
-
+
5. Specify any IP addresses.
-
+
6. Allow the connection.
-
+
7. Specify to use all profiles.
-
+
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-
+
9. In the **Programs and services** tab, under the **Services** section, select **settings**.
-
+
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-
+
- question: |
How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
answer: |
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-
+
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
-
+
2. Disable IpNat.sys from ICS load as follows: Not configured: Device does not provision Windows Hello for Business for any user. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user.|
-|Use a hardware security device|Computer| Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.|
+|Use Windows Hello for Business|Computer or user| Not configured: Device doesn't provision Windows Hello for Business for any user. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device doesn't provision Windows Hello for Business for any user.|
+|Use a hardware security device|Computer| Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available. Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
|Use certificate for on-premises authentication|Computer or user| Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication. Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication. Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
-|Use PIN recovery|Computer| Added in Windows 10, version 1703 Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|Use PIN recovery|Computer| Added in Windows 10, version 1703 Not configured: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset Disabled: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
|Use biometrics|Computer| Not configured: Biometrics can be used as a gesture in place of a PIN Enabled: Biometrics can be used as a gesture in place of a PIN. Disabled: Only a PIN can be used as a gesture.|
### PIN Complexity
|Policy|Scope|Options|
|--- |--- |--- |
-|Require digits|Computer| Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. Disabled: Users cannot use digits in their PIN.|
-|Require lowercase letters|Computer| Not configured: Users cannot use lowercase letters in their PIN Enabled: Users must include at least one lowercase letter in their PIN. Disabled: Users cannot use lowercase letters in their PIN.|
+|Require digits|Computer| Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. Disabled: Users can't use digits in their PIN.|
+|Require lowercase letters|Computer| Not configured: Users can't use lowercase letters in their PIN Enabled: Users must include at least one lowercase letter in their PIN. Disabled: Users can't use lowercase letters in their PIN.|
|Maximum PIN length|Computer| Not configured: PIN length must be less than or equal to 127. Enabled: PIN length must be less than or equal to the number you specify. Disabled: PIN length must be less than or equal to 127.|
|Minimum PIN length|Computer| Not configured: PIN length must be greater than or equal to 4. Enabled: PIN length must be greater than or equal to the number you specify. Disabled: PIN length must be greater than or equal to 4.|
-|Expiration|Computer| Not configured: PIN does not expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. Disabled: PIN does not expire.|
-|History|Computer| Not configured: Previous PINs are not stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. Disabled: Previous PINs are not stored. Not configured: Windows allows, but does not require, special characters in the PIN. Enabled: Windows requires the user to include at least one special character in their PIN. Disabled: Windows does not allow the user to include special characters in their PIN.|
-|Require uppercase letters|Computer| Not configured: Users cannot include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. Disabled: Users cannot include an uppercase letter in their PIN.|
+|Expiration|Computer| Not configured: PIN doesn't expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. Disabled: PIN doesn't expire.|
+|History|Computer| Not configured: Previous PINs aren't stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. Disabled: Previous PINs aren't stored. Not configured: Windows allows, but doesn't require, special characters in the PIN. Enabled: Windows requires the user to include at least one special character in their PIN. Disabled: Windows doesn't allow the user to include special characters in their PIN.|
+|Require uppercase letters|Computer| Not configured: Users can't include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. Disabled: Users can't include an uppercase letter in their PIN.|
### Phone Sign-in
@@ -60,30 +60,30 @@ The following table lists the MDM policy settings that you can configure for Win
|Policy|Scope|Default|Options|
|--- |--- |--- |--- |
-|UsePassportForWork|Device or user|True| True: Windows Hello for Business will be provisioned for all users on the device. False: Users will not be able to provision Windows Hello for Business. True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.|
+|UsePassportForWork|Device or user|True| True: Windows Hello for Business will be provisioned for all users on the device. False: Users won't be able to provision Windows Hello for Business. True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
|ExcludeSecurityDevice TPM12|Device|False|Added in Windows 10, version 1703 True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
-|EnablePinRecovery|Device or use|False| Added in Windows 10, version 1703 True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|EnablePinRecovery|Device or use|False| Added in Windows 10, version 1703 True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
### Biometrics
|Policy|Scope|Default|Options|
|--- |--- |--- |--- |
|UseBiometrics|Device |False| True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. False: Only a PIN can be used as a gesture for domain sign-in.|
-| FacialFeaturesUser EnhancedAntiSpoofing|Device|Not configured| Not configured: users can choose whether to turn on enhanced anti-spoofing. True: Enhanced anti-spoofing is required on devices which support it. False: Users cannot turn on enhanced anti-spoofing.|
+| FacialFeaturesUser EnhancedAntiSpoofing|Device|Not configured| Not configured: users can choose whether to turn on enhanced anti-spoofing. True: Enhanced anti-spoofing is required on devices which support it. False: Users can't turn on enhanced anti-spoofing.|
### PINComplexity
|Policy|Scope|Default|Options|
|--- |--- |--- |--- |
-|Digits |Device or user|1 | 0: Digits are allowed. 1: At least one digit is required. 2: Digits are not allowed.|
-|Lowercase letters |Device or user|2| 0: Lowercase letters are allowed. 1: At least one lowercase letter is required. 2: Lowercase letters are not allowed.|
-|Special characters|Device or user|2| 0: Special characters are allowed. 1: At least one special character is required. 2: Special characters are not allowed.|
-|Uppercase letters|Device or user|2| 0: Uppercase letters are allowed. 1: At least one uppercase letter is required. 2: Uppercase letters are not allowed.|
-|Maximum PIN length |Device or user|127 | Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.|
-|Minimum PIN length|Device or user|6| Minimum length that can be set is 6. Minimum length cannot be greater than maximum setting.|
+|Digits |Device or user|1 | 0: Digits are allowed. 1: At least one digit is required. 2: Digits aren't allowed.|
+|Lowercase letters |Device or user|2| 0: Lowercase letters are allowed. 1: At least one lowercase letter is required. 2: Lowercase letters aren't allowed.|
+|Special characters|Device or user|2| 0: Special characters are allowed. 1: At least one special character is required. 2: Special characters aren't allowed.|
+|Uppercase letters|Device or user|2| 0: Uppercase letters are allowed. 1: At least one uppercase letter is required. 2: Uppercase letters aren't allowed.|
+|Maximum PIN length |Device or user|127 | Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
+|Minimum PIN length|Device or user|6| Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
|Expiration |Device or user|0| Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
-|History|Device or user|0| Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.|
+|History|Device or user|0| Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
### Remote
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index b941c37a84..3363f0ae55 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -81,7 +81,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](./hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 90bd5ec677..fc9083049d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,5 +1,5 @@
---
-title: Prepare people to use Windows Hello (Windows)
+title: Prepare people to use Windows Hello
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.date: 08/19/2018
ms.topic: article
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 9c3cd5a067..f137de379f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -29,7 +29,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
>[!NOTE]
->For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
+>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello).
## PIN is backed by hardware
@@ -66,6 +66,6 @@ To configure account lockout threshold, follow these steps:
## Why do you need a PIN to use biometrics?
-Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
index d7cd002e30..7cc1a49b9a 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices")
\ No newline at end of file
+[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/index.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/hello-overview.md
rename to windows/security/identity-protection/hello-for-business/index.md
index 005fb6c685..84acf6b19c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -1,11 +1,11 @@
---
-title: Windows Hello for Business Overview (Windows)
-description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
+title: Windows Hello for Business Overview
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
ms.collection:
- highpri
- tier1
ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 04/24/2023
---
# Windows Hello for Business Overview
@@ -65,6 +65,8 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+[!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)]
+
## How Windows Hello for Business works: key points
- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
deleted file mode 100644
index e888c0e2f7..0000000000
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ /dev/null
@@ -1,110 +0,0 @@
-### YamlMime:Landing
-
-title: Windows Hello for Business documentation
-summary: Learn how to manage and deploy Windows Hello for Business.
-
-metadata:
- title: Windows Hello for Business documentation
- description: Learn how to manage and deploy Windows Hello for Business.
- ms.topic: landing-page
- ms.date: 03/09/2023
- ms.collection:
- - highpri
- - tier1
-
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
-
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card
- - title: About Windows Hello For Business
- linkLists:
- - linkListType: overview
- links:
- - text: Windows Hello for Business Overview
- url: hello-overview.md
- - linkListType: concept
- links:
- - text: Passwordless Strategy
- url: passwordless-strategy.md
- - text: Why a PIN is better than a password
- url: hello-why-pin-is-better-than-password.md
- - text: Windows Hello biometrics in the enterprise
- url: hello-biometrics-in-enterprise.md
- - text: How Windows Hello for Business works
- url: hello-how-it-works.md
- - linkListType: learn
- links:
- - text: Technical Deep Dive - Device Registration
- url: hello-how-it-works-device-registration.md
- - text: Technical Deep Dive - Provisioning
- url: hello-how-it-works-provisioning.md
- - text: Technical Deep Dive - Authentication
- url: hello-how-it-works-authentication.md
- - text: Technology and Terminology
- url: hello-how-it-works-technology.md
- - text: Frequently Asked Questions (FAQ)
- url: hello-faq.yml
-
- # Card
- - title: Configure and manage Windows Hello for Business
- linkLists:
- - linkListType: concept
- links:
- - text: Windows Hello for Business Deployment Overview
- url: hello-deployment-guide.md
- - text: Planning a Windows Hello for Business Deployment
- url: hello-planning-guide.md
- - text: Deployment Prerequisite Overview
- url: hello-identity-verification.md
- - linkListType: how-to-guide
- links:
- - text: Hybrid Cloud Kerberos Trust Deployment
- url: hello-hybrid-cloud-kerberos-trust.md
- - text: Hybrid Azure AD Joined Key Trust Deployment
- url: hello-hybrid-key-trust.md
- - text: Hybrid Azure AD Joined Certificate Trust Deployment
- url: hello-hybrid-cert-trust.md
- - text: On-premises SSO for Azure AD Joined Devices
- url: hello-hybrid-aadj-sso.md
- - text: On-premises Key Trust Deployment
- url: hello-deployment-key-trust.md
- - text: On-premises Certificate Trust Deployment
- url: hello-deployment-cert-trust.md
- - linkListType: learn
- links:
- - text: Manage Windows Hello for Business in your organization
- url: hello-manage-in-organization.md
- - text: Windows Hello and password changes
- url: hello-and-password-changes.md
- - text: Prepare people to use Windows Hello
- url: hello-prepare-people-to-use.md
-
- # Card
- - title: Windows Hello for Business Features
- linkLists:
- - linkListType: how-to-guide
- links:
- - text: Conditional Access
- url: hello-feature-conditional-access.md
- - text: PIN Reset
- url: hello-feature-pin-reset.md
- - text: Dual Enrollment
- url: hello-feature-dual-enrollment.md
- - text: Dynamic Lock
- url: hello-feature-dynamic-lock.md
- - text: Multi-factor Unlock
- url: feature-multifactor-unlock.md
- - text: Remote Desktop
- url: hello-feature-remote-desktop.md
-
- # Card
- - title: Windows Hello for Business Troubleshooting
- linkLists:
- - linkListType: how-to-guide
- links:
- - text: Known Deployment Issues
- url: hello-deployment-issues.md
- - text: Errors During PIN Creation
- url: hello-errors-during-pin-creation.md
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 3ad9597e77..9dafd8be5b 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -337,6 +337,3 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti
> [!NOTE]
> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
-## The road ahead
-
-The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdlessQA@microsoft.com](mailto:pwdlessQA@microsoft.com?subject=Passwordless%20Feedback).
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 77c3a38b65..d19b1a018c 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -1,10 +1,9 @@
-- name: Windows Hello for Business documentation
- href: index.yml
+items:
+- name: Overview
+ href: index.md
- name: Concepts
expanded: true
items:
- - name: Windows Hello for Business overview
- href: hello-overview.md
- name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index f2aa96a5ea..7646115753 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -1,7 +1,7 @@
---
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.date: 03/09/2023
+ms.date: 07/27/2023
ms.topic: article
---
# WebAuthn APIs for passwordless authentication on Windows
@@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
-By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
+By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
diff --git a/windows/security/identity-protection/images/emailsecurity.png b/windows/security/identity-protection/images/emailsecurity.png
deleted file mode 100644
index 4181fc4f45..0000000000
Binary files a/windows/security/identity-protection/images/emailsecurity.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/mailsettings.png b/windows/security/identity-protection/images/mailsettings.png
deleted file mode 100644
index 02423ab89c..0000000000
Binary files a/windows/security/identity-protection/images/mailsettings.png and /dev/null differ
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index c16e630bed..e45198ca8a 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -1,27 +1,14 @@
---
-title: Identity and access management
-description: Learn more about identity and access protection technologies in Windows.
+title: Windows identity protection
+description: Learn more about identity protection technologies in Windows.
ms.topic: article
-ms.date: 02/05/2018
+ms.date: 07/27/2023
---
-# Identity and access management
+# Windows identity protection
-Learn more about identity and access management technologies in Windows.
+Learn more about identity protection technologies in Windows.
[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
-| Section | Description |
-|-|-|
-| [Local Administrator Password Solution](/defender-for-identity/cas-isp-laps) | Local Administrator Password Solution (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Azure Active Directory (Azure AD) and protected by an access control list (ACL), so only eligible users can read them or request a reset.
-| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
-| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
-| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
-| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
-| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
-| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
-| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
-| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
-| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on client devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
-| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
+[!INCLUDE [identity](../includes/sections/identity.md)]
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
deleted file mode 100644
index 46e3507908..0000000000
--- a/windows/security/identity-protection/password-support-policy.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Technical support policy for lost or forgotten passwords
-description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
-ms.topic: article
-ms.date: 11/20/2019
----
-
-# Technical support policy for lost or forgotten passwords
-
-Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don't work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
-
-If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
-
-## How to reset a password for a domain account
-
-If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
-
-## How to reset a password for a Microsoft account
-
-If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
-
-This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
-
-## How to reset a password for a local account on a Windows device
-
-Local accounts on a device include the device's Administrator account.
-
-### Windows 10
-
-If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
-
-### Windows 8.1 or Windows 7
-
-If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
-
-## How to reset a hardware BIOS password
-
-If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
-
-## How to reset a password for an individual file
-
-Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
-
-## Using third-party password tools
-
-Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 64e9869d2a..41748c9408 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,5 +1,5 @@
---
-title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
+title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.collection:
- highpri
@@ -20,9 +20,7 @@ Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard
Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
> [!IMPORTANT]
-> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article.
-
-
+> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
@@ -30,43 +28,28 @@ The following diagram helps you to understand how a standard Remote Desktop sess
- User performs operation requiring privilege| If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
-| ShellExecute| ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
-| CreateProcess| If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
-
-### System
-
-|Component|Description|
-|--- |--- |
-| Application Information service| A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.|
-| Elevating an ActiveX install| If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
-| Check UAC slider level| UAC has a slider to select from four levels of notification. **Always notify** will: Recommended if you often install new software or visit unfamiliar websites. **Notify me only when programs try to make changes to my computer** will: Recommended if you do not often install apps or visit unfamiliar websites. **Notify me only when programs try to make changes to my computer (do not dim my desktop)** will: Not recommended. Choose this only if it takes a long time to dim the desktop on your computer. **Never notify (Disable UAC prompts)** will: Not recommended due to security concerns.|
-| Secure desktop enabled| The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
-| CreateProcess| CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
-| AppCompat| The AppCompat database stores information in the application compatibility fix entries for an application.|
-| Fusion| The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
-| Installer detection| Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
-
-### Kernel
-
-|Component|Description|
-|--- |--- |
-| Virtualization| Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
-| File system and registry| The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
-
-The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
-
-- Keep the UAC service running.
-- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
-- Automatically deny all elevation requests for standard users.
-
-> [!IMPORTANT]
-> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
-
-> [!WARNING]
-> Some Universal Windows Platform apps may not work when UAC is disabled.
-
-### Virtualization
-
-Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
-
-Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
-
-Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
-
-Virtualization is not an option in the following scenarios:
-
-- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
-
-- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
-
-- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
-
-### Request execution levels
-
-An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that are not UAC-compliant to work properly.
-
-All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, then marking the app with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative app and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
-
-### Installer detection technology
-
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
-
-Installer detection only applies to:
-
-- 32-bit executable files.
-- Applications without a requested execution level attribute.
-- Interactive processes running as a standard user with UAC enabled.
-
-Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
-
-- The file name includes keywords such as "install," "setup," or "update."
-- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
-- Keywords in the side-by-side manifest are embedded in the executable file.
-- Keywords in specific StringTable entries are linked in the executable file.
-- Key attributes in the resource script data are linked in the executable file.
-- There are targeted sequences of bytes within the executable file.
-
-> [!NOTE]
-> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
-
-> [!NOTE]
-> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png
deleted file mode 100644
index 1a84a4cfd7..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png
deleted file mode 100644
index df0077b91b..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
deleted file mode 100644
index 5c9e4de2f7..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
deleted file mode 100644
index 08e9ce3e06..0000000000
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: User Account Control Group Policy and registry key settings (Windows)
-description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
-ms.collection:
- - highpri
- - tier2
-ms.topic: article
-ms.date: 04/19/2017
----
-
-# User Account Control Group Policy and registry key settings
-## Group Policy settings
-There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
-
-
-| Group Policy setting | Registry key | Default |
-| - | - | - | - |
-| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
-| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
-| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
-| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials |
-| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
-|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
-## Detect an unhealthy Windows 10-based device
+## Detect an unhealthy Windows 10-based device
As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
@@ -392,14 +384,14 @@ When you start a device equipped with TPM, a measurement of different components
The health attestation process works as follows:
-1. Hardware boot components are measured.
-2. Operating system boot components are measured.
-3. If Device Guard is enabled, current Device Guard policy is measured.
-4. Windows kernel is measured.
-5. Antivirus software is started as the first kernel mode driver.
-6. Boot start drivers are measured.
-7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
-8. Boot measurements are validated by the Health Attestation Service
+1. Hardware boot components are measured.
+2. Operating system boot components are measured.
+3. If Device Guard is enabled, current Device Guard policy is measured.
+4. Windows kernel is measured.
+5. Antivirus software is started as the first kernel mode driver.
+6. Boot start drivers are measured.
+7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
+8. Boot measurements are validated by the Health Attestation Service
> [!NOTE]
> By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
@@ -407,16 +399,16 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
The following process describes how health boot measurements are sent to the health attestation service:
-1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
-2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
-3. The remote device heath attestation service then:
+1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3. The remote device heath attestation service then:
- 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
- 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
- 3. Parses the properties in the TCG log.
- 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+ 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+ 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+ 3. Parses the properties in the TCG log.
+ 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
-4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
@@ -424,7 +416,7 @@ The following process describes how health boot measurements are sent to the hea
The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
-### Trusted Platform Module
+### Trusted Platform Module
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
@@ -432,11 +424,11 @@ In a simplified manner, the TPM is a passive component with limited resources. I
A TPM incorporates in a single component:
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
+- An RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
### Endorsement key
@@ -448,15 +440,15 @@ The endorsement key acts as an identity card for the TPM. For more information,
The endorsement key is often accompanied by one or two digital certificates:
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
> [!NOTE]
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
-- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
-- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
+- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
### Attestation Identity Keys
@@ -504,7 +496,7 @@ If the TPM ownership isn't known but the EK exists, the client library will prov
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
> [!NOTE]
-> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
### Windows 10 Health Attestation CSP
@@ -512,10 +504,10 @@ Windows 10 contains a configuration service provider (CSP) specialized for inter
The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
-- Collects data that is used to verify a device's health status
-- Forwards the data to the Health Attestation Service
-- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
-- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+- Collects data that is used to verify a device's health status
+- Forwards the data to the Health Attestation Service
+- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
@@ -530,21 +522,21 @@ The role of Windows Health Attestation Service is essentially to evaluate a set
Checking that a TPM attestation and the associated log are valid takes several steps:
-1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
-2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
-3. Next the logs should be checked to ensure that they match the PCR values reported.
-4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
+3. Next the logs should be checked to ensure that they match the PCR values reported.
+4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the device:
-- Secure Boot enablement
-- Boot and kernel debug enablement
-- BitLocker enablement
-- VSM enabled
-- Signed or unsigned Device Guard Code Integrity policy measurement
-- ELAM loaded
-- Safe Mode boot, DEP enablement, test signing enablement
-- Device TPM has been provisioned with a trusted endorsement certificate
+- Secure Boot enablement
+- Boot and kernel debug enablement
+- BitLocker enablement
+- VSM enabled
+- Signed or unsigned Device Guard Code Integrity policy measurement
+- ELAM loaded
+- Safe Mode boot, DEP enablement, test signing enablement
+- Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
@@ -560,29 +552,29 @@ To make device health relevant, the MDM solution evaluates the device health rep
A solution that uses MDM and the Health Attestation Service consists of three main parts:
-1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
-2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
-3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
+1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
:::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
-1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
-2. The MDM server specifies a nonce along with the request.
-3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
-4. The MDM server:
+1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2. The MDM server specifies a nonce along with the request.
+3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4. The MDM server:
- 1. Verifies that the nonce is as expected.
- 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+ 1. Verifies that the nonce is as expected.
+ 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
-5. The Health Attestation Service:
+5. The Health Attestation Service:
- 1. Decrypts the health blob.
- 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
- 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
- 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
- 5. Sends data back to the MDM server including health parameters, freshness, and so on.
+ 1. Decrypts the health blob.
+ 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+ 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
+ 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+ 5. Sends data back to the MDM server including health parameters, freshness, and so on.
> [!NOTE]
> The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
@@ -623,7 +615,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bui
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
-### Management of Windows Defender by third-party MDM
+### Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
@@ -639,7 +631,7 @@ If the device isn't registered, the user will get a message with instructions on
:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
-### Office 365 conditional access control
+### Office 365 conditional access control
Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
target groups.
@@ -661,20 +653,20 @@ Depending on the type of email application that employees use to access Exchange
Clients that attempt to access Office 365 will be evaluated for the following properties:
-- Is the device managed by an MDM?
-- Is the device registered with Azure AD?
-- Is the device compliant?
+- Is the device managed by an MDM?
+- Is the device registered with Azure AD?
+- Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
-- Enroll with an MDM solution.
-- Register with Azure AD.
-- Be compliant with the device policies set by the MDM solution.
+- Enroll with an MDM solution.
+- Register with Azure AD.
+- Be compliant with the device policies set by the MDM solution.
> [!NOTE]
> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
-### Cloud and on-premises apps conditional access control
+### Cloud and on-premises apps conditional access control
Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
@@ -687,22 +679,22 @@ For more information about conditional access, see [Azure Conditional Access Pre
For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
-- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
-- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
The following process describes how Azure AD conditional access works:
-1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
-2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
-3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
-4. User logs on and the MDM agent contacts the Intune/MDM server.
-5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
-6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
-7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
-8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
-9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4. User logs on and the MDM agent contacts the Intune/MDM server.
+5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
10. Intune/MDM server updates compliance state against device object in Azure AD.
11. User opens app, attempts to access a corporate managed asset.
12. Access gated by compliance claim in Azure AD.
@@ -717,43 +709,43 @@ Conditional access control is a topic that many organizations and IT pros may no
The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices.
-- **Understand that no solution is 100 percent secure**
+- **Understand that no solution is 100 percent secure**
If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
-- **Use health attestation with an MDM solution**
+- **Use health attestation with an MDM solution**
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
-- **Use Credential Guard**
+- **Use Credential Guard**
Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
-- **Use Device Guard**
+- **Use Device Guard**
Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
-- **Sign Device Guard policy**
+- **Sign Device Guard policy**
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
-- **Use virtualization-based security**
+- **Use virtualization-based security**
When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
-- **Start to deploy Device Guard with Audit mode**
+- **Start to deploy Device Guard with Audit mode**
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
-- **Build an isolated reference machine when deploying Device Guard**
+- **Build an isolated reference machine when deploying Device Guard**
Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
-- **Use AppLocker when it makes sense**
+- **Use AppLocker when it makes sense**
Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users.
-- **Lock down firmware and configuration**
+- **Lock down firmware and configuration**
After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
@@ -763,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
similarity index 83%
rename from windows/security/information-protection/secure-the-windows-10-boot-process.md
rename to windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index be0c4f800d..536e09924d 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -1,24 +1,16 @@
---
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.prod: windows-client
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
+ms.topic: conceptual
+ms.date: 03/09/2023
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 03/09/2023
-ms.technology: itpro-security
-appliesto:
-- ✅ Windows 10 and later
---
# Secure the Windows boot process
-
-The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+Windows has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, Windows includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
@@ -50,9 +42,9 @@ Windows supports four features to help prevent rootkits and bootkits from loadin
Figure 1 shows the Windows startup process.
-.png)
+
-*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
@@ -82,27 +74,23 @@ These requirements help protect you from rootkits while allowing you to run any
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
-The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
+The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
-1. Open the firmware menu, either:
-
- - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+1. Open the firmware menu, either:
+ - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+ - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
+3. Save changes and exit.
- - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
-
-2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
-
-3. Save changes and exit.
-
-Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
+Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
## Trusted Boot
-Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
## Early Launch Anti-Malware
@@ -129,13 +117,12 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
+
-
-.png)
-
-*Figure 2. Measured Boot proves the PC's health to a remote server*
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
new file mode 100644
index 0000000000..2945f5f884
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -0,0 +1,28 @@
+items:
+- name: Secure the Windows boot process
+ href: secure-the-windows-10-boot-process.md
+- name: Secure Boot and Trusted Boot
+ href: trusted-boot.md
+- name: Measured Boot 🔗
+ href: /windows/compatibility/measured-boot
+- name: Device health attestation service
+ href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+- name: Cryptography and certificate management
+ href: cryptography-certificate-mgmt.md
+- name: Windows Security app
+ href: windows-defender-security-center/windows-defender-security-center.md
+ items:
+ - name: Virus & threat protection
+ href: windows-defender-security-center\wdsc-virus-threat-protection.md
+ - name: Account protection
+ href: windows-defender-security-center\wdsc-account-protection.md
+ - name: Firewall & network protection
+ href: windows-defender-security-center\wdsc-firewall-network-protection.md
+ - name: App & browser control
+ href: windows-defender-security-center\wdsc-app-browser-control.md
+ - name: Device security
+ href: windows-defender-security-center\wdsc-device-security.md
+ - name: Device performance & health
+ href: windows-defender-security-center\wdsc-device-performance-health.md
+ - name: Family options
+ href: windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
diff --git a/windows/security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
similarity index 87%
rename from windows/security/trusted-boot.md
rename to windows/security/operating-system-security/system-security/trusted-boot.md
index ad5c50ecc7..a5b511cc48 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -1,14 +1,11 @@
---
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2021
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: jsuther
+appliesto:
+ - "✅ Windows 11"
---
# Secure Boot and Trusted Boot
@@ -21,7 +18,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
## Trusted Boot
@@ -29,6 +26,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
+
## See also
-[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
new file mode 100644
index 0000000000..86a18cc532
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -0,0 +1,37 @@
+---
+title: Account protection in the Windows Security app
+description: Use the Account protection section to manage security for your account and sign in to Microsoft.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+
+# Account protection
+
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
+
+- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
+
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
+
+## Hide the Account protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+You can only configure these settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Account protection**.
+1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
index 817ff1949e..a4e6a2916e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,21 +1,12 @@
---
title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
ms.topic: article
---
# App and browser control
-**Applies to**
-
-- Windows 10 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
@@ -32,13 +23,9 @@ You can only prevent users from modifying Exploit protection settings by using G
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Hide the App & browser control section
@@ -51,13 +38,9 @@ This section can be hidden only by using Group Policy.
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
index 1aed92dc61..d792fabd4f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,20 +1,12 @@
---
title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Customize the Windows Security app for your organization
-**Applies to**
-
-- Windows 10 and later
-
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
@@ -36,11 +28,8 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-
4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@@ -51,8 +40,8 @@ There are two stages to using the contact card and customized notifications. Fir
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
+
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
index bfc66838f7..f3c57f4410 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@@ -2,52 +2,34 @@
title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
ms.date: 12/31/2018
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: article
---
# Device performance and health
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
-
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Device performance & health section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
+1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Device performance and health**.
-
-6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
new file mode 100644
index 0000000000..35915c9351
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@@ -0,0 +1,53 @@
+---
+title: Device security in the Windows Security app
+description: Use the Device security section to manage security built into your device, including virtualization-based security.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+# Device security
+
+The **Device security** section contains information and settings for built-in device security.
+
+You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device security section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Disable the Clear TPM button
+
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the TPM Firmware Update recommendation
+
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
index f4a6bb11c6..df1907c2a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@@ -1,50 +1,35 @@
---
title: Family options in the Windows Security app
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Family options
-**Applies to**
-
-- Windows 10 and later
-
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
-
## Hide the Family options section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Family options**.
+1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Family options**.
-
-6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 1d0d162d10..0d538dcab3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,49 +1,32 @@
---
title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
-
# Firewall and network protection
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Firewall & network protection section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
+1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
+1. Deploy the updated GPO as you normally do.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
-
-6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. Deploy the updated GPO as you normally do.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
similarity index 82%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
index 8ca7f8d1c1..d21b237aae 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,20 +1,12 @@
---
title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Hide Windows Security app notifications
-**Applies to**
-
-- Windows 10 and later
-
The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@@ -28,30 +20,21 @@ If you set **Hide all notifications** to **Enabled**, changing the **Hide non-cr
You can only use Group Policy to change these settings.
-
-
## Use Group Policy to hide non-critical notifications
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-
-2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
-
-6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Use Group Policy to hide all notifications
@@ -59,22 +42,18 @@ You can hide all notifications that are sourced from the Windows Security app. T
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
> [!NOTE]
> For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
-6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
> You can use the following registry key and DWORD value to **Hide all notifications**.
@@ -95,7 +74,7 @@ These notifications can be hidden only by using Group Policy.
| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
@@ -109,7 +88,7 @@ These notifications can be hidden only by using Group Policy.
| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
@@ -131,4 +110,4 @@ These notifications can be hidden only by using Group Policy.
| Dynamic lock on, bluetooth on, but device unpaired | | | No |Account protection notification|
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |Account protection notification|
| NoPa or federated no hello | | | No |Account protection notification|
-| NoPa or federated hello broken | | | No |Account protection notification|
\ No newline at end of file
+| NoPa or federated hello broken | | | No |Account protection notification|
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
new file mode 100644
index 0000000000..f17c9907ba
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -0,0 +1,58 @@
+---
+title: Virus and threat protection in the Windows Security app
+description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
+ms.date: 12/31/2017
+ms.topic: article
+---
+
+# Virus and threat protection
+
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
+
+In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
+
+IT administrators and IT pros can get more configuration information from these articles:
+
+- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
+- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
+- [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
+
+## Hide the Virus & threat protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Hide the Ransomware protection area
+
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+
+This area can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
similarity index 91%
rename from windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 41b535c96b..039d7fc3a6 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -1,32 +1,17 @@
---
-title: The Windows Security app
+title: Windows Security app
description: The Windows Security app brings together common Windows security features into one place.
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-ms.collection:
- - highpri
- - tier2
ms.date: 12/31/2017
ms.topic: article
+ms.collection:
+ - highpri
+ - tier2
---
-# The Windows Security app
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Windows Security app
This library describes the Windows Security app, and provides information on configuring certain features, including:
-
-
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -52,7 +37,7 @@ For more information about each section, options for configuring the sections, a
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
> [!NOTE]
@@ -65,9 +50,11 @@ For more information about each section, options for configuring the sections, a
- Select the icon in the notification area on the taskbar.
+
- Search the Start menu for **Windows Security**.
+
- Open an area from Windows **Settings**.
@@ -78,7 +65,7 @@ For more information about each section, options for configuring the sections, a
## How the Windows Security app works with Windows security features
> [!IMPORTANT]
-> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
>
> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
@@ -86,7 +73,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
new file mode 100644
index 0000000000..641a049390
--- /dev/null
+++ b/windows/security/operating-system-security/toc.yml
@@ -0,0 +1,13 @@
+items:
+- name: Overview
+ href: index.md
+- name: System security
+ href: system-security/toc.yml
+- name: Virus and threat protection
+ href: virus-and-threat-protection/toc.yml
+- name: Network security
+ href: network-security/toc.yml
+- name: Encryption and data protection
+ href: data-protection/toc.yml
+- name: Device management
+ href: device-management/toc.yml
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
similarity index 97%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
index 3c1ed6dcea..1b896b0738 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@@ -1,18 +1,8 @@
---
title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/28/2020
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
+ms.date: 05/31/2023
ms.topic: reference
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
similarity index 95%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index aa2ffc3b9d..f474a45688 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,30 +1,25 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.prod: windows-client
-ms.technology: itpro-security
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer: paoloma
-manager: aaroncz
-ms.localizationpriority: medium
-ms.date: 10/07/2022
-adobe-target: true
+ms.date: 05/31/2023
+ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
-ms.topic: conceptual
---
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in these ways:
+If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:
- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also prompts them to change their password so attackers can't gain access to their account.
- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+> [!NOTE]
+> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
+
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
@@ -37,6 +32,8 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled.
+[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)]
+
## Configure Enhanced Phishing Protection for your organization
Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
@@ -116,11 +113,10 @@ To better help you protect your organization, we recommend turning on and using
## Related articles
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
-- [Threat protection](../index.md)
-- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
+- [WebThreatDefense CSP][WIN-1]
+- [Threat protection](index.md)
-------------
+
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
-
-[MEM-2]: /mem/intune/configuration/settings-catalog
\ No newline at end of file
+[MEM-2]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg
@@ -0,0 +1,24 @@
+
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg
new file mode 100644
index 0000000000..da64baf975
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
similarity index 93%
rename from windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index e7f02d821d..3940c5070c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -1,19 +1,12 @@
---
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
+ms.date: 05/31/2023
+ms.topic: article
ms.localizationpriority: high
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-adobe-target: true
ms.collection:
- tier2
- highpri
-ms.date: 03/20/2023
-ms.topic: article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -42,12 +35,14 @@ Microsoft Defender SmartScreen provide an early warning system against websites
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
-- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
+- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](available-settings.md).
- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
+[!INCLUDE [microsoft-defender-smartscreen](../../../../../includes/licensing/microsoft-defender-smartscreen.md)]
+
## Submit files to Microsoft Defender SmartScreen for review
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
@@ -59,5 +54,4 @@ When submitting a file for Microsoft Defender SmartScreen, make sure to select *
## Related articles
- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
-- [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
new file mode 100644
index 0000000000..9082efb2be
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -0,0 +1,24 @@
+items:
+ - name: Microsoft Defender Antivirus 🔗
+ href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+ preserveContext: true
+ - name: Attack surface reduction (ASR) 🔗
+ href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
+ - name: Tamper protection for MDE 🔗
+ href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+ - name: Microsoft Vulnerable Driver Blocklist 🔗
+ href: ../../application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+ - name: Controlled folder access 🔗
+ href: /microsoft-365/security/defender-endpoint/controlled-folders
+ - name: Exploit protection 🔗
+ href: /microsoft-365/security/defender-endpoint/exploit-protection
+ - name: Microsoft Defender SmartScreen
+ items:
+ - name: Overview
+ href: microsoft-defender-smartscreen/index.md
+ - name: Available settings
+ href: microsoft-defender-smartscreen/available-settings.md
+ - name: Enhanced Phishing Protection
+ href: microsoft-defender-smartscreen/enhanced-phishing-protection.md
+ - name: Microsoft Defender for Endpoint 🔗
+ href: /microsoft-365/security/defender-endpoint
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
deleted file mode 100644
index 5a71a44832..0000000000
--- a/windows/security/operating-system.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.reviewer:
-ms.topic: article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 09/21/2021
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
-
+
3. Configure ICS (SharedAccess) to be enabled as follows:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
-
+
4. (This step is optional) Disable IPNAT as follows:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
-
+
5. Reboot the device.
-
+
- question: |
Why doesn't the container fully load when device control policies are enabled?
answer: |
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
-
+
Policy: Allow installation of devices that match any of the following device IDs:
-
+
- `SCSI\DiskMsft____Virtual_Disk____`
- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
- `VMS_VSF`
@@ -206,7 +196,7 @@ sections:
- `root\storvsp`
- `vms_vsmp`
- `VMS_PP`
-
+
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
@@ -218,25 +208,25 @@ sections:
1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
2. Reboot the device.
-
+
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
-
+
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
-
+
- question: |
Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
answer: |
Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
-
+
additionalContent: |
## See also
-
+
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-download.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-download.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-persistence.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-persistence.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-print.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-print.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-new-window.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-new-window.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-visual-cues.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-visual-cues.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/application-guard-container-v-host.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/application-guard-container-v-host.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/turn-windows-features-on-off.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/turn-windows-features-on-off.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
similarity index 91%
rename from windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index 6f0853d443..eeac8ba0d1 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,22 +1,11 @@
---
title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 11/30/2022
-ms.reviewer:
-manager: aaroncz
-ms.custom: asr
-ms.technology: itpro-security
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
+ms.date: 07/11/2023
+ms.topic: how-to
ms.collection:
- highpri
- tier2
-ms.topic: how-to
---
# Prepare to install Microsoft Defender Application Guard
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
similarity index 98%
rename from windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index 0f2bca60b2..b5b54f3574 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -1,25 +1,13 @@
---
title: Microsoft Defender Application Guard Extension
description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
-ms.prod: windows-client
ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 09/09/2021
-ms.reviewer:
-manager: aaroncz
-ms.custom: asr
-ms.technology: itpro-security
+ms.date: 07/11/2023
ms.topic: conceptual
---
# Microsoft Defender Application Guard Extension
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
similarity index 86%
rename from windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
index afc6aaef79..d1547ce21e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,19 +1,9 @@
---
-title: Microsoft Defender Application Guard (Windows 10 or Windows 11)
+title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 09/09/2021
-ms.reviewer:
-manager: aaroncz
-ms.custom: asr
-ms.technology: itpro-security
-ms.collection:
+ms.date: 07/11/2023
+ms.collection:
- highpri
- tier2
ms.topic: conceptual
@@ -21,12 +11,7 @@ ms.topic: conceptual
# Microsoft Defender Application Guard overview
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
+Microsoft Defender Application Guard (MDAG) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@@ -34,7 +19,6 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
-
### What types of devices should use Application Guard?
@@ -49,6 +33,10 @@ Application Guard has been created to target several types of devices:
- **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
+[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
+
+For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
+
## Related articles
|Article |Description |
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
similarity index 92%
rename from windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
index f8cbef2b18..190662392c 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,24 +1,13 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
-ms.prod: windows-client
-ms.technology: itpro-security
ms.topic: overview
ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 08/25/2022
-ms.reviewer: sazankha
-manager: aaroncz
+ms.date: 07/11/2023
---
# System requirements for Microsoft Defender Application Guard
-**Applies to**
-
-- Windows 10 Education, Enterprise, and Professional
-- Windows 11 Education, Enterprise, and Professional
-
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
similarity index 97%
rename from windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
rename to windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 4357712bc7..03756108fa 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,25 +1,13 @@
---
title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
-ms.prod: windows-client
-ms.technology: itpro-security
ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer: sazankha
-manager: aaroncz
-ms.date: 09/23/2022
-ms.custom: asr
+ms.date: 07/11/2023
ms.topic: conceptual
---
# Application Guard testing scenarios
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
## Application Guard in standalone mode
@@ -28,7 +16,7 @@ You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
-1. [Install Application Guard](./install-md-app-guard.md).
+1. [Install Application Guard](install-md-app-guard.md).
2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
@@ -51,7 +39,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
-1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
+1. [Install Application Guard](install-md-app-guard.md#install-application-guard).
2. Restart the device, and then start Microsoft Edge.
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
new file mode 100644
index 0000000000..3673f50fde
--- /dev/null
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -0,0 +1,20 @@
+items:
+- name: Microsoft Defender Application Guard (MDAG)
+ href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+- name: MDAG for Edge standalone mode
+ href: microsoft-defender-application-guard/md-app-guard-overview.md
+- name: MDAG for Edge enterprise mode and enterprise management 🔗
+ href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+- name: MDAG for Microsoft Office
+ href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+- name: MDAG configure via MDM 🔗
+ href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+- name: Windows containers 🔗
+ href: /virtualization/windowscontainers/about
+- name: Windows Sandbox
+ href: windows-sandbox/windows-sandbox-overview.md
+ items:
+ - name: Windows Sandbox architecture
+ href: windows-sandbox/windows-sandbox-architecture.md
+ - name: Windows Sandbox configuration
+ href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
diff --git a/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png b/windows/security/application-security/application-isolation/windows-sandbox/images/1-dynamic-host.png
similarity index 100%
rename from windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png
rename to windows/security/application-security/application-isolation/windows-sandbox/images/1-dynamic-host.png
diff --git a/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png b/windows/security/application-security/application-isolation/windows-sandbox/images/2-dynamic-working.png
similarity index 100%
rename from windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png
rename to windows/security/application-security/application-isolation/windows-sandbox/images/2-dynamic-working.png
diff --git a/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png b/windows/security/application-security/application-isolation/windows-sandbox/images/3-memory-sharing.png
similarity index 100%
rename from windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png
rename to windows/security/application-security/application-isolation/windows-sandbox/images/3-memory-sharing.png
diff --git a/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png b/windows/security/application-security/application-isolation/windows-sandbox/images/4-integrated-kernal.png
similarity index 100%
rename from windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png
rename to windows/security/application-security/application-isolation/windows-sandbox/images/4-integrated-kernal.png
diff --git a/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png b/windows/security/application-security/application-isolation/windows-sandbox/images/5-wddm-gpu-virtualization.png
similarity index 100%
rename from windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png
rename to windows/security/application-security/application-isolation/windows-sandbox/images/5-wddm-gpu-virtualization.png
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
similarity index 97%
rename from windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
rename to windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
index 0dfbc42f89..dac2d9f311 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
@@ -1,13 +1,8 @@
---
title: Windows Sandbox architecture
description: Windows Sandbox architecture
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.topic: article
-ms.date: 6/30/2022
-ms.technology: itpro-security
+ms.date: 05/25/2023
---
# Windows Sandbox architecture
@@ -19,7 +14,7 @@ Windows Sandbox benefits from new container technology in Windows to achieve a c
Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology uses the copy of Windows already installed on the host.
Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and can't be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. With the help of this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an extra copy of Windows.
-
+
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
@@ -43,7 +38,7 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work will be prioritized, whether it's on the host or in the container.
-
+
## WDDM GPU virtualization
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
@@ -53,7 +48,7 @@ This feature allows programs running inside the sandbox to compete for GPU resou
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
-
+
## Battery pass-through
Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This functionality is critical for technology that is used on laptops, where battery life is often critical.
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
similarity index 96%
rename from windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
rename to windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index e9dc1bb0cc..888bca39ce 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,16 +1,11 @@
---
title: Windows Sandbox configuration
description: Windows Sandbox configuration
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.collection:
- highpri
- tier2
ms.topic: article
-ms.date: 6/30/2022
-ms.technology: itpro-security
+ms.date: 05/25/2023
---
# Windows Sandbox configuration
@@ -161,14 +156,16 @@ Supported values:
### Protected client
-Applies more security settings to the sandbox Remote Desktop client, decreasing its attack surface.
+When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment.
+
+AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
`
-
-| Service type | Description |
-|:---|:---|
-| Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
-| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).|
-| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
-| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.
To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
-
-## Next steps
-
-- [Learn more about MDM and Windows 11](/windows/client-management/mdm/)
-- [Learn more about Windows security](index.yml)
\ No newline at end of file
diff --git a/windows/security/context/context.yml b/windows/security/context/context.yml
deleted file mode 100644
index aa53a529eb..0000000000
--- a/windows/security/context/context.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-### YamlMime: ContextObject
-brand: windows
-breadcrumb_path: ../breadcrumb/toc.yml
-toc_rel: ../toc.yml
\ No newline at end of file
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 7504a93725..3217fc027d 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -39,7 +39,7 @@
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
- "uhfHeaderId": "MSDocsHeader-M365-IT",
+ "uhfHeaderId": "MSDocsHeader-Windows",
"ms.localizationpriority": "medium",
"ms.prod": "windows-client",
"ms.technology": "itpro-security",
@@ -53,11 +53,12 @@
"folder_relative_path_in_docset": "./"
}
},
+ "titleSuffix": "Windows Security",
"contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
"jborsecnik",
"tiburd",
"AngelaMotherofDragons",
@@ -66,71 +67,161 @@
"garycentric",
"beccarobins"
],
- "searchScope": ["Windows 10"]
+ "searchScope": [
+ "Windows 10"
+ ]
},
"fileMetadata": {
"author":{
+ "application-security//**/*.md": "vinaypamnani-msft",
+ "application-security//**/*.yml": "vinaypamnani-msft",
+ "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
+ "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther1974",
+ "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
+ "hardware-security/**/*.md": "vinaypamnani-msft",
+ "hardware-security/**/*.yml": "vinaypamnani-msft",
"identity-protection/**/*.md": "paolomatarazzo",
- "threat-protection/windows-firewall/**/*.md": "aczechowski"
+ "identity-protection/**/*.yml": "paolomatarazzo",
+ "operating-system-security/**/*.md": "vinaypamnani-msft",
+ "operating-system-security/**/*.yml": "vinaypamnani-msft",
+ "operating-system-security/data-protection/**/*.md": "paolomatarazzo",
+ "operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
+ "operating-system-security/network-security/**/*.md": "paolomatarazzo",
+ "operating-system-security/network-security/**/*.yml": "paolomatarazzo",
+ "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
+ "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
},
"ms.author":{
+ "application-security//**/*.md": "vinpa",
+ "application-security//**/*.yml": "vinpa",
+ "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
+ "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther",
+ "application-security/application-control/user-account-control/*.md": "paoloma",
+ "application-security/application-control/user-account-control/*.yml": "paoloma",
+ "hardware-security//**/*.md": "vinpa",
+ "hardware-security//**/*.yml": "vinpa",
"identity-protection/**/*.md": "paoloma",
- "threat-protection/windows-firewall/*.md": "aaroncz"
+ "identity-protection/**/*.yml": "paoloma",
+ "operating-system-security/**/*.md": "vinpa",
+ "operating-system-security/**/*.yml": "vinpa",
+ "operating-system-security/data-protection/**/*.md": "paoloma",
+ "operating-system-security/data-protection/**/*.yml": "paoloma",
+ "operating-system-security/network-security/**/*.md": "paoloma",
+ "operating-system-security/network-security/**/*.yml": "paoloma",
+ "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
+ "operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
},
- "appliesto":{
+ "appliesto": {
+ "application-security//**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ],
+ "application-security/application-control/user-account-control/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "application-security/application-control/windows-defender-application-control/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "hardware-security//**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ],
"identity-protection/**/*.md": [
- "✅ Windows 11",
- "✅ Windows 10"
+ "✅ Windows 11",
+ "✅ Windows 10"
],
"identity-protection/credential-guard/**/*.md": [
- "✅ Windows 11",
- "✅ Windows 10",
- "✅ Windows Server 2022",
- "✅ Windows Server 2019",
- "✅ Windows Server 2016"
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
],
"identity-protection/smart-cards/**/*.md": [
- "✅ Windows 11",
- "✅ Windows 10",
- "✅ Windows Server 2022",
- "✅ Windows Server 2019",
- "✅ Windows Server 2016"
- ],
- "identity-protection/user-account-control/**/*.md": [
- "✅ Windows 11",
- "✅ Windows 10",
- "✅ Windows Server 2022",
- "✅ Windows Server 2019",
- "✅ Windows Server 2016"
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
],
"identity-protection/virtual-smart-cards/**/*.md": [
- "✅ Windows 11",
- "✅ Windows 10",
- "✅ Windows Server 2022",
- "✅ Windows Server 2019",
- "✅ Windows Server 2016"
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "operating-system-security/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ],
+ "operating-system-security/data-protection/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "operating-system-security/data-protection/**/*.yml": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "operating-system-security/data-protection/personal-data-encryption/*.md": [
+ "✅ Windows 11"
+ ],
+ "operating-system-security/data-protection/personal-data-encryption/*.yml": [
+ "✅ Windows 11"
+ ],
+ "operating-system-security/device-management/windows-security-configuration-framework/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "operating-system-security/network-security/windows-firewall/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
]
},
- "ms.reviewer":{
+ "ms.reviewer": {
+ "application-security/application-control/windows-defender-application-control/**/*.md": "vinpa",
+ "application-security/application-isolation/microsoft-defender-application-guard/*.md": "sazankha",
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
- "threat-protection/windows-firewall/*.md": "paoloma",
- "identity-protection/vpn/*.md": "pesmith"
+ "operating-system-security/network-security/windows-firewall/*.md": "paoloma",
+ "operating-system-security/network-security/vpn/*.md": "pesmith",
+ "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
+ "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
- "ms.collection":{
+ "ms.collection": {
+ "application-security/application-control/windows-defender-application-control/**/*.md": "tier3",
"identity-protection/hello-for-business/*.md": "tier1",
- "information-protection/bitlocker/*.md": "tier1",
- "information-protection/personal-data-encryption/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
- "threat-protection/windows-defender-application-control/*.md": "tier3",
- "threat-protection/windows-firewall/*.md": "tier3"
+ "operating-system-security/data-protection/bitlocker/*.md": "tier1",
+ "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
+ "operating-system-security/network-security/windows-firewall/*.md": "tier3"
}
},
"template": [],
"dest": "security",
"markdownEngineName": "markdig"
}
-}
+}
\ No newline at end of file
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
deleted file mode 100644
index 781c1f164d..0000000000
--- a/windows/security/encryption-data-protection.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Encryption and data protection in Windows
-description: Get an overview encryption and data protection in Windows 11 and Windows 10
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.topic: overview
-ms.date: 09/22/2022
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.reviewer: rafals
----
-
-# Encryption and data protection in Windows client
-
-When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
-Encryption and data protection features include:
-
-- Encrypted Hard Drive
-- BitLocker
-
-## Encrypted Hard Drive
-
-Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
-By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
-
-Encrypted hard drives provide:
-
-- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
-- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
-- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
-- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
-
-Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
-
-## BitLocker
-
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
-
-BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
-
-Windows consistently improves data protection by improving existing options and providing new strategies.
-
-## Personal Data Encryption (PDE)
-
-(*Applies to: Windows 11, version 22H2 and later*)
-
-[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
-
-## See also
-
-- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
-- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
-- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
similarity index 95%
rename from windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
rename to windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index f0fd6be3e9..eaba7bb890 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -1,30 +1,22 @@
---
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
-ms.prod: windows-client
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.date: 03/16/2023
-ms.reviewer:
-ms.technology: itpro-security
+appliesto:
+ - "✅ Windows 11"
+ - "✅ Windows 10"
+ - "✅ Windows Server 2022"
+ - "✅ Windows Server 2019"
+ - "✅ Windows Server 2016"
---
# Enable virtualization-based protection of code integrity
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 or higher
-
**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
@@ -73,7 +65,7 @@ Enabling in Intune requires using the Code Integrity node in the [Virtualization
4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
- 
+ 
5. Select **Ok** to close the editor.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
similarity index 86%
rename from windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
rename to windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
index 10b4f41000..077e6473de 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -1,23 +1,16 @@
---
-title: How a Windows Defender System Guard helps protect Windows 10
-description: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof. Learn how it works.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-search.appverid: met150
-ms.prod: windows-client
+title: How a Windows Defender System Guard helps protect Windows
+description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works.
ms.localizationpriority: medium
-author: vinaypamnani-msft
ms.date: 03/01/2019
-ms.technology: itpro-security
ms.topic: conceptual
---
-# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
+# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows
To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
-Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
+Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
- Protect and maintain the integrity of the system as it starts up
- Validate that system integrity has truly been maintained through local and remote attestation
@@ -29,58 +22,59 @@ Windows Defender System Guard reorganizes the existing Windows 10 system integri
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
-This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
-This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
+This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
+This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
-As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
+As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
+Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
-- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
+- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
Also, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
-[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
-DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
+[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
+DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
-
-Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
+Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
### System Management Mode (SMM) protection
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
-Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
-SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
+Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
+SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
- - Paging protection to prevent inappropriate access to code and data
- - SMM hardware supervision and attestation
+- Paging protection to prevent inappropriate access to code and data
+- SMM hardware supervision and attestation
-Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned.
+Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned.
-A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
+A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
-SMM protection is built on top of the Secure Launch technology and requires it to function.
-In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with.
+SMM protection is built on top of the Secure Launch technology and requires it to function.
+In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
+While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity.
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few.
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+[!INCLUDE [windows-defender-system-guard](../../../includes/licensing/windows-defender-system-guard.md)]
+
## System requirements for System Guard
This feature is available for the following processors:
diff --git a/windows/security/information-protection/images/device-details.png b/windows/security/hardware-security/images/device-details.png
similarity index 100%
rename from windows/security/information-protection/images/device-details.png
rename to windows/security/hardware-security/images/device-details.png
diff --git a/windows/security/threat-protection/images/enable-hvci-gp.png b/windows/security/hardware-security/images/enable-hvci-gp.png
similarity index 100%
rename from windows/security/threat-protection/images/enable-hvci-gp.png
rename to windows/security/hardware-security/images/enable-hvci-gp.png
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/hardware-security/images/kernel-dma-protection-security-center.png
similarity index 100%
rename from windows/security/information-protection/images/kernel-dma-protection-security-center.png
rename to windows/security/hardware-security/images/kernel-dma-protection-security-center.png
diff --git a/windows/security/information-protection/images/kernel-dma-protection.png b/windows/security/hardware-security/images/kernel-dma-protection.png
similarity index 100%
rename from windows/security/information-protection/images/kernel-dma-protection.png
rename to windows/security/hardware-security/images/kernel-dma-protection.png
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png b/windows/security/hardware-security/images/secure-launch-group-policy.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png
rename to windows/security/hardware-security/images/secure-launch-group-policy.png
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png b/windows/security/hardware-security/images/secure-launch-msinfo.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png
rename to windows/security/hardware-security/images/secure-launch-msinfo.png
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png b/windows/security/hardware-security/images/secure-launch-registry.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png
rename to windows/security/hardware-security/images/secure-launch-registry.png
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png b/windows/security/hardware-security/images/secure-launch-security-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png
rename to windows/security/hardware-security/images/secure-launch-security-app.png
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png b/windows/security/hardware-security/images/system-guard-secure-launch.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png
rename to windows/security/hardware-security/images/system-guard-secure-launch.png
diff --git a/windows/security/threat-protection/device-guard/images/system-information-virtualization-based-security.png b/windows/security/hardware-security/images/system-information-virtualization-based-security.png
similarity index 100%
rename from windows/security/threat-protection/device-guard/images/system-information-virtualization-based-security.png
rename to windows/security/hardware-security/images/system-information-virtualization-based-security.png
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/hardware-security/images/windows-defender-system-guard-boot-time-integrity.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png
rename to windows/security/hardware-security/images/windows-defender-system-guard-boot-time-integrity.png
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
similarity index 94%
rename from windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
rename to windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
index eb8db70020..78cb720fe3 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
@@ -1,18 +1,11 @@
---
title: Kernel DMA Protection
description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 03/30/2023
-ms.technology: itpro-security
-appliesto:
- - ✅ Windows 10 and later
---
# Kernel DMA Protection
@@ -41,6 +34,8 @@ When Kernel DMA Protection is enabled:
- Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
- Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
+[!INCLUDE [kernel-direct-memory-access-dma-protection](../../../includes/licensing/kernel-direct-memory-access-dma-protection.md)]
+
## System compatibility
Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn't required.
@@ -79,7 +74,7 @@ If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Vir
If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
-For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
## Frequently asked questions
@@ -127,4 +122,4 @@ The policy can be enabled by using:
[LINK-2]: /windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies
[LINK-3]: /windows-hardware/design/device-experiences/oem-kernel-dma-protection
-[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf
\ No newline at end of file
+[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
similarity index 73%
rename from windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
rename to windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
index 6c14ed44e0..f1eb60e4e7 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
@@ -1,29 +1,14 @@
---
-title: System Guard Secure Launch and SMM protection (Windows 10)
+title: System Guard Secure Launch and SMM protection
description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
-search.appverid: met150
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: vinaypamnani-msft
ms.date: 11/30/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: conceptual
---
# System Guard Secure Launch and SMM protection
-**Applies to:**
-
-- Windows 11
-- Windows 10
-
-This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
+This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
> [!NOTE]
> System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
@@ -54,7 +39,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
-
+
### Registry
1. Open Registry editor.
@@ -76,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
> [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> [!NOTE]
> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
new file mode 100644
index 0000000000..9af8ea3961
--- /dev/null
+++ b/windows/security/hardware-security/toc.yml
@@ -0,0 +1,56 @@
+items:
+ - name: Overview
+ href: ../hardware.md
+ - name: Hardware root of trust
+ items:
+ - name: Windows Defender System Guard
+ href: how-hardware-based-root-of-trust-helps-protect-windows.md
+ - name: Trusted Platform Module
+ href: ../information-protection/tpm/trusted-platform-module-top-node.md
+ items:
+ - name: Trusted Platform Module overview
+ href: ../information-protection/tpm/trusted-platform-module-overview.md
+ - name: TPM fundamentals
+ href: ../information-protection/tpm/tpm-fundamentals.md
+ - name: How Windows uses the TPM
+ href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+ - name: Manage TPM commands
+ href: ../information-protection/tpm/manage-tpm-commands.md
+ - name: Manager TPM Lockout
+ href: ../information-protection/tpm/manage-tpm-lockout.md
+ - name: Change the TPM password
+ href: ../information-protection/tpm/change-the-tpm-owner-password.md
+ - name: TPM Group Policy settings
+ href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+ - name: Back up the TPM recovery information to AD DS
+ href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+ - name: View status, clear, or troubleshoot the TPM
+ href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+ - name: Understanding PCR banks on TPM 2.0 devices
+ href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+ - name: TPM recommendations
+ href: ../information-protection/tpm/tpm-recommendations.md
+ - name: Microsoft Pluton security processor
+ items:
+ - name: Microsoft Pluton overview
+ href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+ - name: Microsoft Pluton as TPM
+ href: ../information-protection/pluton/pluton-as-tpm.md
+ - name: Silicon assisted security
+ items:
+ - name: Virtualization-based security (VBS) 🔗
+ href: /windows-hardware/design/device-experiences/oem-vbs
+ - name: Memory integrity (HVCI)
+ href: enable-virtualization-based-protection-of-code-integrity.md
+ - name: Memory integrity and VBS enablement 🔗
+ href: /windows-hardware/design/device-experiences/oem-hvci-enablement
+ - name: Hardware-enforced stack protection
+ href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
+ - name: Secured-core PC 🔗
+ href: /windows-hardware/design/device-experiences/oem-highly-secure-11
+ - name: Secured-core PC configuration lock
+ href: /windows/client-management/config-lock 🔗
+ - name: Kernel Direct Memory Access (DMA) protection
+ href: kernel-dma-protection-for-thunderbolt.md
+ - name: System Guard Secure Launch
+ href: system-guard-secure-launch-and-smm-protection.md
\ No newline at end of file
diff --git a/windows/security/hardware.md b/windows/security/hardware.md
index 0baa5e3748..27f5ad31a5 100644
--- a/windows/security/hardware.md
+++ b/windows/security/hardware.md
@@ -1,7 +1,7 @@
---
title: Windows hardware security
description: Get an overview of hardware security in Windows 11 and Windows 10
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
author: vinaypamnani-msft
@@ -19,7 +19,7 @@ These new threats call for computing hardware that is secure down to the very co
| Security Measures | Features & Capabilities |
|:---|:---|
| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.
Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). |
-| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
-| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
-| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
-| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
+| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](hardware-security/system-guard-secure-launch-and-smm-protection.md). |
+| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
+| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](hardware-security/kernel-dma-protection-for-thunderbolt.md). |
+| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 6bec9ee14c..efbf40ef92 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -2,7 +2,7 @@
ms.date: 11/22/2022
title: Access Control Overview
description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
-ms.topic: article
+ms.topic: overview
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -39,6 +39,8 @@ This content set contains:
- [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
- [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
+[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+
## Practical applications
Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
deleted file mode 100644
index 317ef89a50..0000000000
--- a/windows/security/identity-protection/configure-s-mime.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Configure S/MIME for Windows
-description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.topic: article
-ms.date: 07/27/2017
----
-
-
-# Configure S/MIME for Windows
-
-S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
-
-## About message encryption
-
-Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
-
-Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email.
-
-## About digital signatures
-
-A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
-
-## Prerequisites
-
-- [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
-- Valid Personal Information Exchange (PFX) certificates are installed on the device.
-
- - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
- - [Enable access to company resources using certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-configure)
-
-## Choose S/MIME settings
-
-On the device, perform the following steps: (add select certificate)
-
-1. Open the Mail app.
-
-2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
-
- :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
-
-3. Tap **Email security**.
-
- :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
-
-4. In **Select an account**, select the account for which you want to configure S/MIME options.
-
-5. Make a certificate selection for digital signature and encryption.
-
- - Select **Automatically** to let the app choose the certificate.
- - Select **Manually** to specify the certificate yourself from the list of valid certificates on the device.
-6. (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages.
-
- > [!NOTE]
- > The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
-
-7. Tap the back arrow.
-
-## Encrypt or sign individual messages
-
-1. While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the ellipsis (...).
-
-2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
-
- :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
-
-## Read signed or encrypted messages
-
-When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
-
-## Install certificates from a received message
-
-When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
-
-1. Open a signed email.
-
-2. Tap or click the digital signature icon in the reading pane.
-
-3. Tap **Install.**
-
- :::image type="content" alt-text="message security information." source="images/installcert.png":::
-
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index ca9c7acd52..32967fd8b7 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -18,7 +18,6 @@ Credential theft attacks allow the attacker to steal secrets from one device and
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
-
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index eb38ab1250..086a008176 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -1,5 +1,5 @@
---
-title: Manage Windows Defender Credential Guard (Windows)
+title: Manage Windows Defender Credential Guard
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry.
ms.date: 11/23/2022
ms.collection:
@@ -54,7 +54,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. When enabl
1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
-1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md).
+1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md).
:::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting.":::
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 6b9dbeadc9..6719b3db77 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Credential Guard protection limits (Windows)
+title: Windows Defender Credential Guard protection limits
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.date: 08/17/2017
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index ea7bf02bae..2afb9f4a6a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -66,6 +66,8 @@ Applications may cause performance issues when they attempt to hook the isolated
Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
+[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
+
## Security considerations
All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
@@ -96,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
|Protections for Improved Security|Description|
|---|---|
|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: - VT-D or AMD Vi IOMMU **Security benefits**: - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: - Secure MOR, revision 2 implementation|
### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index af00a1aef1..519ec863c8 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,5 +1,5 @@
---
-title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
+title: Protect derived domain credentials with Windows Defender Credential Guard
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.date: 11/22/2022
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml
new file mode 100644
index 0000000000..3661af7b0e
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: Protect derived domain credentials with Credential Guard
+ href: credential-guard.md
+- name: How Credential Guard works
+ href: credential-guard-how-it-works.md
+- name: Requirements
+ href: credential-guard-requirements.md
+- name: Manage Credential Guard
+ href: credential-guard-manage.md
+- name: Credential Guard protection limits
+ href: credential-guard-protection-limits.md
+- name: Considerations when using Credential Guard
+ href: credential-guard-considerations.md
+- name: Additional mitigations
+ href: additional-mitigations.md
+- name: Known issues
+ href: credential-guard-known-issues.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index d4f8cceb8d..47f0d59394 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,24 +1,24 @@
---
-title: Enterprise Certificate Pinning
-description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
+title: Enterprise certificate pinning
+description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
ms.topic: conceptual
-ms.date: 07/27/2017
+ms.date: 05/24/2023
---
-# Enterprise Certificate Pinning
+# Enterprise certificate pinning overview
-Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name.
-Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+Enterprise certificate pinning is a Windows feature for remembering (pinning), a root issuing certificate authority, or end-entity certificate, to a domain name.\
+The feature helps to reduce man-in-the-middle attacks by protecting internal domain names from chaining to unwanted or fraudulently issued certificates.
> [!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
-Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates.
-These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers.
-Any site certificate that triggers a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+Windows Certificate APIs (*CertVerifyCertificateChainPolicy* and *WinVerifyTrust*) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates.\
+The restrictions are encapsulated in a *Pin Rules Certificate Trust List (CTL)* that is configured and deployed to Windows devices.\
+Any site certificates that trigger a name mismatch causes Windows to write an event to the *CAPI2 event log*, and prevents the user from browsing the web site.
> [!NOTE]
-> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection.
+> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge to block the connection.
## Deployment
@@ -27,14 +27,14 @@ To deploy enterprise certificate pinning, you need to:
- Create a well-formatted certificate pinning rule XML file
- Create a pin rules certificate trust list file from the XML file
- Apply the pin rules certificate trust list file to a reference administrative computer
-- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+- Deploy the registry configuration on the reference computer via group policy
-### Create a Pin Rules XML file
+### Create a pin rules XML file
-The XML-based pin rules file consists of a sequence of PinRule elements.
+The XML-based pin rules file consists of a sequence of PinRule elements.
Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
-```code
+```xml
**Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. |
+| **Duration** or **NextUpdate** | Specifies when the Pin Rules expires. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. |
| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months.
If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. |
| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. |
-#### PinRule Element
+#### PinRule element
-The **PinRule** element can have the following attributes.
+The **PinRule** element can have the following attributes.
| Attribute | Description | Required |
|-----------|-------------|----------|
-| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.|
-| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. |
+| **Name** | Uniquely identifies the **PinRule**. Windows uses the attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.|
+| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use the setting to audit the pin rules without introducing any user friction. | No. |
| **Log** | A Boolean value represents a string that equals **true** or **false**. By default, logging is enabled (**true**). | No. |
-#### Certificate element
+#### Certificate element
The **Certificate** element can have the following attributes.
@@ -88,7 +88,7 @@ The **Certificate** element can have the following attributes.
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). |
-| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
+| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.
If the current time is past the **EndDate**, when creating the certificate trust list (CTL) the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml).| No.|
#### Site element
@@ -96,15 +96,15 @@ The **Site** element can have the following attributes.
| Attribute | Description | Required |
|-----------|-------------|----------|
-| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
+| **Domain** | Contains the DNS name to be matched for this pin rule. When you create the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
| **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
-### Create a Pin Rules Certificate Trust List
+### Create a pin rules certificate trust list
-The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy.
-The usage syntax is:
+The *Certutil.exe* command includes the *generatePinRulesCTL* argument. The argument parses the XML file and generates the encoded certificate trust list (CTL) that you add to your reference Windows device and then deploy.
+The syntax is:
-```code
+```cmd
CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile]
Generate Pin Rules CTL
XMLFile -- input XML file to be parsed.
@@ -118,40 +118,42 @@ Options:
-v -- Verbose operation
```
-The same certificate(s) can occur in multiple **PinRule** elements.
-The same domain can occur in multiple **PinRule** elements.
-Certutil coalesces these in the resultant pin rules certificate trust list.
+- The same certificate(s) can occur in multiple **PinRule** elements
+- The same domain can occur in multiple **PinRule** elements
+- Certutil coalesces these in the resultant pin rules certificate trust list
+- Certutil.exe doesn't strictly enforce the XML schema definition
-Certutil.exe doesn't strictly enforce the XML schema definition.
-It does perform the following to enable other tools to add/consume their own specific elements and attributes:
+Certutil performs the following to enable other tools to add/consume their own specific elements and attributes:
-- Skips elements before and after the **PinRules** element.
-- Skips any element not matching **Certificate** or **Site** within the **PinRules** element.
-- Skips any attributes not matching the above names for each element type.
+- Skips elements before and after the **PinRules** element
+- Skips any element not matching **Certificate** or **Site** within the **PinRules** element
+- Skips any attributes not matching the above names for each element type
-Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules.
+Use the *certutil* command with the *generatePinRulesCTL* argument along with your XML file that contains your certificate pinning rules.
Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list.
-```code
+```cmd
certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
```
-### Applying Certificate Pinning Rules to a Reference Computer
+### Apply certificate pinning rules to a reference computer
Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise.
To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT).
-Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument.
-The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.
-This secondary argument is **chain\PinRules**.
-The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl).
-You'll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example.
-You need to perform this command from an elevated command prompt.
+Use *certutil.exe* to apply your certificate pinning rules to your reference computer using the *setreg* argument.\
+The *setreg* argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.\
+The secondary argument is *chain\PinRules*.\
+The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (`.stl`).\
+You pass the name of the file as the last argument. You must prefix the file name with the `@` symbol as in the following example:
-```code
+```cmd
Certutil -setreg chain\PinRules @pinrules.stl
```
+> [!NOTE]
+> You must execute the command from an elevated command prompt.
+
Certutil writes the binary information to the following registration location:
| Name | Value |
@@ -163,39 +165,39 @@ Certutil writes the binary information to the following registration location:
-### Deploying Enterprise Pin Rule Settings using Group Policy
+### Deploy enterprise pin rule settings using group policy
-You've successfully created a certificate pinning rules XML file.
-From the XML file you've created a certificate pinning trust list file, and you've applied the contents of that file to your reference computer from which you can run the Group Policy Management Console.
-Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
+From the XML file, you've created a certificate pinning trust list file. Then, you've applied the content of the file to your reference device from which you can run the Group Policy Management Console.
+
+The next step consists of configuring a group policy object that includes the applied certificate pin rule settings, and deploy it in your environment.
Sign-in to the reference computer using domain administrator equivalent credentials.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the forest node and then expand the domain node.
-3. Expand the node that contains your Active Directory's domain name
-4. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and click **New**.
-5. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
-6. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
-7. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
-8. Right-click the **Registry** node and click **New**.
-9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
-10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the forest node and then expand the domain node
+1. Expand the node that contains your Active Directory's domain name
+1. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and select **New**
+1. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and select **OK**
+1. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and select **Edit**
+1. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**
+1. Right-click the **Registry** node and select **New**
+1. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list
+1. For the **Key Path**, select **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
- HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+ `HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config`
- Click **Select** to close the **Registry Item Browser**.
+ Select **Select** to close the **Registry Item Browser**
-11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
+1. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Select **OK** to save your settings and close the dialog box
- 
+ 
-12. Close the **Group Policy Management Editor** to save your settings.
-13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+1. Close the **Group Policy Management Editor** to save your settings
+1. Link the **Enterprise Certificate Pinning Rules** GPO to the OU containing the devices that you want to configure
-## Additional Pin Rules Logging
+## Additional pin rules logging
-To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
+To help constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
| Name | Value |
|------|-------|
@@ -204,12 +206,12 @@ To assist in constructing certificate pinning rules, you can configure the **Pin
| Value | The Parent directory where Windows should write the additional pin rule logs |
| Data type | REG_SZ |
-### Permission for the Pin Rule Log Folder
+### Permission for the pin rule log folder
-The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access.
-You can run the following commands from an elevated command prompt to achieve the proper permissions.
+The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access.
+You can run the following commands from an elevated command prompt to achieve the proper permissions.
-```code
+```cmd
set PinRulesLogDir=c:\PinRulesLog
mkdir %PinRulesLogDir%
icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
@@ -218,64 +220,61 @@ icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
```
-Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
+When an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
-- AdminPinRules
- Matched a site in the enterprise certificate pinning rules.
-- AutoUpdatePinRules
- Matched a site in the certificate pinning rules managed by Microsoft.
-- NoPinRules
- Didn't match any site in the certificate pin rules.
+- `AdminPinRules`: Matched a site in the enterprise certificate pinning rules
+- `AutoUpdatePinRules`: Matched a site in the certificate pinning rules managed by Microsoft
+- `NoPinRules`: Didn't match any site in the certificate pin rules
-The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name.
+The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name.
For example:
- `D4DE20D0_xsi.outlook.com.p7b`
- `DE28F4A4_www.yammer.com.p7b`
-If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
+If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder.
-## Representing a Date in XML
+## Represent a date in XML
-Many attributes within the pin rules xml file are dates.
-These dates must be properly formatted and represented in UTC.
-You can use Windows PowerShell to format these dates.
-You can then copy and paste the output of the cmdlet into the XML file.
+Many attributes within the pin rules xml file are dates.\
+These dates must be properly formatted and represented in UTC.\
+You can use Windows PowerShell to format these dates.\
+You can then copy and paste the output of the cmdlet into the XML file.
For simplicity, you can truncate decimal point (.) and the numbers after it.
However, be certain to append the uppercase "Z" to the end of the XML date string.
-```code
+```cmd
2015-05-11T07:00:00.2655691Z
2015-05-11T07:00:00Z
```
-## Converting an XML Date
+## Convert an XML date
You can also use Windows PowerShell to validate and convert an XML date into a human readable date to validate it's the correct date.
-## Representing a Duration in XML
+## Represent a duration in XML
-Some elements may be configured to use a duration rather than a date.
-You must represent the duration as an XML timespan data type.
+Some elements may be configured to use a duration rather than a date.
+You must represent the duration as an XML timespan data type.
You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
-## Converting an XML Duration
+## Convert an XML duration
You can convert an XML formatted timespan into a timespan variable that you can read.
-## Certificate Trust List XML Schema Definition (XSD)
+## Certificate trust list XML schema definition (XSD)
-```code
+```xml
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE]
> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@@ -61,24 +53,24 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
-|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE]
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
-## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
+## Hybrid Azure AD join authentication using cloud Kerberos trust
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos will return the TGT to lsass, where it is cached and used for subsequent service ticket requests. Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Hybrid Azure AD join authentication using a key
@@ -86,11 +78,11 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
-|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
@@ -103,13 +95,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
-|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
> [!IMPORTANT]
-> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time.
+> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 76368b1c12..06e3d455fa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -94,8 +94,8 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
### Related to cloud experience host
-- [Windows Hello for Business](./hello-identity-verification.md)
-- [Managed Windows Hello in organization](./hello-manage-in-organization.md)
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Managed Windows Hello in organization](hello-manage-in-organization.md)
### More information on cloud experience host
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 9a5646c257..bcd910f606 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -203,7 +203,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Repeat this procedure on all your domain controllers
> [!NOTE]
-> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
+> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
> [!IMPORTANT]
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 629d9c561e..934a3f70de 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -139,7 +139,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
-1. Under *Enable to certificate for on-premises resources*, select **Disabled** and multiple policies become available
+1. Under *Enable to certificate for on-premises resources*, select **YES**
1. Select **Next**
1. Optionally, add *scope tags* > **Next**
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
@@ -195,4 +195,4 @@ The certificate authority validates the certificate was signed by the registrati
[MEM-3]: /mem/intune/configuration/custom-settings-configure
[MEM-4]: /windows/client-management/mdm/passportforwork-csp
[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
-[MEM-6]: /mem/intune/protect/identity-protection-configure
\ No newline at end of file
+[MEM-6]: /mem/intune/protect/identity-protection-configure
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
index 9cd071eac6..d1059a1570 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -101,7 +101,7 @@ To configure the cloud Kerberos trust policy:
> [!IMPORTANT]
> *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
- :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png":::
+ :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="images/hello-cloud-trust-intune.png" lightbox="images/hello-cloud-trust-intune-large.png":::
1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
@@ -147,7 +147,7 @@ The Windows Hello for Business provisioning process begins immediately after a u
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
-:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png" lightbox="./images/cloud-trust-prereq-check.png":::
+:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="images/cloud-trust-prereq-check.png" lightbox="images/cloud-trust-prereq-check.png":::
The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
@@ -202,7 +202,7 @@ For a list of frequently asked questions about Windows Hello for Business cloud
[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
-[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
+[AZ-3]: /azure/active-directory/fundamentals/how-to-find-tenant
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index d3f07a3668..23b6c288e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -32,15 +32,18 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
-When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
+When Azure AD Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
-- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
+- Is only used by Azure AD to generate TGTs for the Active Directory domain
+
+ > [!NOTE]
+ > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust.
:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
For more information about how Azure AD Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
-For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
+For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
> [!IMPORTANT]
> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
@@ -65,9 +68,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud
- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
> [!NOTE]
-> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
+> The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
>
-> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed |
+| Requirement | Cloud Kerberos trust
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed |
| --- | --- | --- | --- | --- |
| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions |
| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema |
| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
-| **Certificate Authority**| N/A |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
-| **AD FS Version** | N/A | N/A | Any supported Windows Server versions | Any supported Windows Server versions |
+| **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
+| **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions |
| **MFA Requirement** | Azure MFA, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
-| **Azure AD Connect** | N/A | Required | Required | Required |
+| **Azure AD Connect** | Not required | Required | Required | Required |
| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
## On-premises Deployments
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 2676f0066f..576ffdb0a4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,6 +1,6 @@
---
-title: Manage Windows Hello in your organization (Windows)
-description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
+title: Manage Windows Hello in your organization
+description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
ms.collection:
- highpri
- tier1
@@ -19,31 +19,31 @@ You can create a Group Policy or mobile device management (MDM) policy to config
## Group Policy settings for Windows Hello for Business
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies > Administrative Templates > Windows Components > Windows Hello for Business**.
> [!NOTE]
-> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**.
+> The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**.
|Policy|Scope|Options|
|--- |--- |--- |
-|Use Windows Hello for Business|Computer or user|Note Current PIN is included in PIN history.|
-|Require special characters|Computer|Note Current PIN is included in PIN history.|
+|Require special characters|Computer| **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices|
-|RequireSecurityDevice|Device or user|False| **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices|
+|RequireSecurityDevice|Device or user|False|
-
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
-
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
-
-
Use the following table to compare different Remote Desktop connection security options:
-
-
-
-
| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
-|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
-| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent** | N/A |
|
|
-| **Credentials supported from the remote desktop client device** |
|
|
-| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
-| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
-| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
-
-
+|--|--|--|--|
+| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
+| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
+| **Helps prevent** | N/A |
|
|
+| **Credentials supported from the remote desktop client device** |
|
|
+| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
+| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
+| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
+| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
-
-
-
-
## Remote Desktop connections and helpdesk support scenarios
For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
@@ -77,8 +60,7 @@ To further harden security, we also recommend that you implement Local Administr
For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
-
-
+[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
## Remote Credential Guard requirements
@@ -86,20 +68,17 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
-- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
-
-- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
-
-- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
-
-- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
+- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
+- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
+- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
+- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
The Remote Desktop remote host:
-- Must be running at least Windows 10, version 1607 or Windows Server 2016.
-- Must allow Restricted Admin connections.
-- Must allow the client's domain user to access Remote Desktop connections.
-- Must allow delegation of non-exportable credentials.
+- Must be running at least Windows 10, version 1607 or Windows Server 2016.
+- Must allow Restricted Admin connections.
+- Must allow the client's domain user to access Remote Desktop connections.
+- Must allow delegation of non-exportable credentials.
There are no hardware requirements for Windows Defender Remote Credential Guard.
@@ -109,31 +88,26 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
-
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Windows Defender Remote Credential Guard
You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
-1. Open Registry Editor on the remote host.
+1. Open Registry Editor on the remote host
+1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
-2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+ - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
+ - Add a new DWORD value named **DisableRestrictedAdmin**
+ - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
- - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
-
- - Add a new DWORD value named **DisableRestrictedAdmin**.
-
- - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
-
-3. Close Registry Editor.
+1. Close Registry Editor
You can add this by running the following command from an elevated command prompt:
-```console
-reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+```cmd
+reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
## Using Windows Defender Remote Credential Guard
@@ -142,36 +116,28 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
### Turn on Windows Defender Remote Credential Guard by using Group Policy
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
-
-2. Double-click **Restrict delegation of credentials to remote servers**.
-
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
+1. Double-click **Restrict delegation of credentials to remote servers**
-
-3. Under **Use the following restricted mode**:
-
- - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
+1. Under **Use the following restricted mode**:
+ - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
> [!NOTE]
> Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
+ > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
- - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
-
- - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-
-4. Click **OK**.
-
-5. Close the Group Policy Management Console.
-
-6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
+ - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
+ - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
+1. Click **OK**
+1. Close the Group Policy Management Console
+1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-```console
+```cmd
mstsc.exe /remoteGuard
```
@@ -180,12 +146,8 @@ mstsc.exe /remoteGuard
## Considerations when using Windows Defender Remote Credential Guard
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
-
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
-
-- Remote Desktop Credential Guard only works with the RDP protocol.
-
-- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
-
-- The server and client must authenticate using Kerberos.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
+- Remote Desktop Credential Guard only works with the RDP protocol
+- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
+- The server and client must authenticate using Kerberos
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 365f168f07..5443446244 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,6 +1,6 @@
---
ms.date: 09/24/2021
-title: Smart Card and Remote Desktop Services (Windows)
+title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: article
ms.reviewer: ardenw
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 5a810263fc..d305de2eae 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Architecture (Windows)
+title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index bbdab0c142..f44786fcb1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,5 +1,5 @@
---
-title: Certificate Propagation Service (Windows)
+title: Certificate Propagation Service
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index e52b7eeabd..ac153d8216 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,5 +1,5 @@
---
-title: Certificate Requirements and Enumeration (Windows)
+title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 72b31805ae..afd45f5a5f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Troubleshooting (Windows)
+title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.reviewer: ardenw
ms.collection:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 50e701debe..87a6861bb1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -1,24 +1,19 @@
---
-title: Smart Card Events (Windows)
-description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
-ms.reviewer: ardenw
-ms.topic: article
-ms.date: 09/24/2021
+title: Smart card events
+description: Learn about smart card deployment and development events.
+ms.topic: troubleshooting
+ms.date: 06/02/2023
---
-# Smart Card Events
+# Smart card events
-This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
+This article describes the events related to smart card deployment and development.
-A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization.
+Many events can be used to monitor smart card activities on a device, including installation, use, and errors. The next sections describe the events and information that you can use to manage smart cards in an organization.
-- [Smart card reader name](#smart-card-reader-name)
-- [Smart card warning events](#smart-card-warning-events)
-- [Smart card error events](#smart-card-error-events)
-- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
## Smart card reader name
-The Smart Card resource manager doesn't use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
+The Smart Card Resource Manager doesn't use the device name from *Device Manager* to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
The following three attributes are used to construct the smart card reader name:
@@ -26,72 +21,73 @@ The following three attributes are used to construct the smart card reader name:
- Interface device type
- Device unit
-The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information:
+The smart card reader device name is constructed in the form `
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the Resource Manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command couldn't be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card |
## Smart card error events
| **Event ID** | **Error Message** | **Description** |
|--------------|--------------------------------------------|-------------------------------------------------------------------------------|
-| 202 | Failed to initialize Server Application | An error occurred, and the service cannot initialize properly. Restarting the computer may resolve the issue. |
-| 203 | Server Control has no memory for reader reference object. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 204 | Server Control failed to create shutdown event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 202 | Failed to initialize Server Application | An error occurred, and the service can't initialize properly. Restarting the computer may resolve the issue. |
+| 203 | Server Control has no memory for reader reference object. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 204 | Server Control failed to create shutdown event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
%1 = Name of the smart card reader that is duplicated |
-| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
-| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
-| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 504 | Resource Manager cannot create shutdown event flag: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 506 | Smart Card Resource Manager failed to register service: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 206 | Failed to create global reader change event. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 401 | Reader shutdown exception from eject smart card command | A smart card reader couldn't eject a smart card while the smart card reader was shutting down. |
+| 406 | Reader object can't Identify Device | A smart card reader didn't properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader won't be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
+| 502 | Initialization of Service Status Critical Section failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 504 | Resource Manager can't create shutdown event flag: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 506 | Smart Card Resource Manager failed to register service: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 506 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 507 | No memory available for Service Status Critical Section | There is not enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
+| 507 | No memory available for Service Status Critical Section | There isn't enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
| 508 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 509 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 510 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 511 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 512 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 513 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 514 | Smart Card Resource Manager failed to add reader %2: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name |
-| 515 | Smart Card Resource Manager failed to declare state: %1 | This is an internal unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code |
-| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code |
-| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name |
+| 514 | Smart Card Resource Manager failed to add reader %2: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name |
+| 515 | Smart Card Resource Manager failed to declare state: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code |
+| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code |
+| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name |
| 521 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 523 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 602 | WDM Reader driver initialization cannot open reader device: %1 | The service cannot open a communication channel with the smart card reader. You cannot use the smart card reader until the issue is resolved.
%1 = Windows error code |
-| 603 | WDM Reader driver initialization has no memory available to control device %1 | There is not enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader |
-| 604 | Server control cannot set reader removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 605 | Reader object failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 606 | Reader object failed to create removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 607 | Reader object failed to start monitor thread: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
-| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
-| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
-| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
-| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. |
-| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 602 | WDM Reader driver initialization can't open reader device: %1 | The service can't open a communication channel with the smart card reader. You can't use the smart card reader until the issue is resolved.
%1 = Windows error code |
+| 603 | WDM Reader driver initialization has no memory available to control device %1 | There isn't enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader |
+| 604 | Server control can't set reader removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 605 | Reader object failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 606 | Reader object failed to create removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 607 | Reader object failed to start monitor thread: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 608 | Reader monitor failed to create power down timer: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 609 | Reader monitor failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader can't successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
+| 611 | Smart Card Reader initialization failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
+| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
+| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
+| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 621 | Server Control failed to access start event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. |
+| 622 | Server Control failed to access stop event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
## Smart card Plug and Play events
| **Event ID** | **Event type** | **Event Message** | **Description** |
|--------------|----------------|-----------------------------------------------------------------------------------------|----------------|
-| 1000 | Error | Could not get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play could not obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code |
+| 1000 | Error | Couldn't get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play couldn't obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code |
| 1001 | Information | Software successfully installed for smart card in reader %1. The smart card name is %2. | Smart card Plug and Play successfully installed a minidriver for the inserted card.
%1 = Smart card reader name
%2 = Name of new smart card device |
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 78fe0f4b8a..e2ef4a9160 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Group Policy and Registry Settings (Windows)
+title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index a44e2533fc..5d498cb152 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -21,3 +21,5 @@ This topic for IT professional provides links to resources about the implementat
- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
+
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 40f781ce63..8250828ff6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Removal Policy Service (Windows)
+title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 170dfa5cf4..e3a98718be 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,5 +1,5 @@
---
-title: Smart Cards for Windows Service (Windows)
+title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index bb1e4d8fb6..4de4acbfc6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Tools and Settings (Windows)
+title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 3b74397463..07d20ddf30 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Technical Reference (Windows)
+title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.reviewer: ardenw
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/toc.yml b/windows/security/identity-protection/smart-cards/toc.yml
new file mode 100644
index 0000000000..0d82f8c3a7
--- /dev/null
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@@ -0,0 +1,28 @@
+items:
+- name: Smart Card Technical Reference
+ href: smart-card-windows-smart-card-technical-reference.md
+ items:
+ - name: How Smart Card Sign-in Works in Windows
+ href: smart-card-how-smart-card-sign-in-works-in-windows.md
+ items:
+ - name: Smart Card Architecture
+ href: smart-card-architecture.md
+ - name: Certificate Requirements and Enumeration
+ href: smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart Card and Remote Desktop Services
+ href: smart-card-and-remote-desktop-services.md
+ - name: Smart Cards for Windows Service
+ href: smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: smart-card-certificate-propagation-service.md
+ - name: Smart Card Removal Policy Service
+ href: smart-card-removal-policy-service.md
+ - name: Smart Card Tools and Settings
+ href: smart-card-tools-and-settings.md
+ items:
+ - name: Smart Cards Debugging Information
+ href: smart-card-debugging-information.md
+ - name: Smart Card Group Policy and Registry Settings
+ href: smart-card-group-policy-and-registry-settings.md
+ - name: Smart Card Events
+ href: smart-card-events.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
new file mode 100644
index 0000000000..d8e6726e39
--- /dev/null
+++ b/windows/security/identity-protection/toc.yml
@@ -0,0 +1,43 @@
+items:
+ - name: Overview
+ href: index.md
+ - name: Passwordless sign-in
+ items:
+ - name: Windows Hello for Business 🔗
+ href: hello-for-business/index.md
+ - name: Windows presence sensing
+ href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
+ - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
+ href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
+ - name: FIDO 2 security key 🔗
+ href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+ - name: Federated sign-in 🔗
+ href: /education/windows/federated-sign-in
+ - name: Smart Cards
+ href: smart-cards/toc.yml
+ - name: Virtual smart cards
+ href: virtual-smart-cards/toc.yml
+ displayName: VSC
+ - name: Enterprise Certificate Pinning
+ href: enterprise-certificate-pinning.md
+ - name: Advanced credential protection
+ items:
+ - name: Windows LAPS (Local Administrator Password Solution) 🔗
+ displayName: LAPS
+ href: /windows-server/identity/laps/laps-overview
+ - name: Account Lockout Policy 🔗
+ href: ../threat-protection/security-policy-settings/account-lockout-policy.md
+ - name: Enhanced phishing protection with SmartScreen
+ href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+ displayName: EPP
+ - name: Access Control
+ href: access-control/access-control.md
+ displayName: ACL/SACL
+ - name: Windows Defender Credential Guard
+ href: credential-guard/toc.yml
+ - name: Windows Defender Remote Credential Guard
+ href: remote-credential-guard.md
+ - name: LSA Protection
+ href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+ - name: Local Accounts
+ href: access-control/local-accounts.md
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
deleted file mode 100644
index 0e56328a44..0000000000
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: How User Account Control works (Windows)
-description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.collection:
- - highpri
- - tier2
-ms.topic: article
-ms.date: 09/23/2021
----
-
-# How User Account Control works
-
-User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-
-## UAC process and interactions
-
-Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
-
-To better understand how this process happens, let's look at the Windows logon process.
-
-### Logon process
-
-The following shows how the logon process for an administrator differs from the logon process for a standard user.
-
-
-
-By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
-
-When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
-
-A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
-
-### The UAC User Experience
-
-When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows, is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
-
-The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
-
-**The consent and credential prompts**
-
-With UAC enabled, Windows prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
-
-**The consent prompt**
-
-The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-
-:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
-
-**The credential prompt**
-
-The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**.
-
-The following is an example of the UAC credential prompt.
-
-:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
-
-**UAC elevation prompts**
-
-The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
-
-The elevation prompt color-coding is as follows:
-
-- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
-- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
-- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
-- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
-
-**Shield icon**
-
-Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time Properties** Control Panel item.
-
-:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
-
-The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
-
-**Securing the elevation prompt**
-
-The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
-
-When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
-
-Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware does not gain elevation if the user clicks **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
-
-While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy.
-
-## UAC Architecture
-
-The following diagram details the UAC architecture.
-
-
-
-To better understand each component, review the table below:
-
-### User
-
-|Component|Description|
-|--- |--- |
-|
Disabled (default for enterprise) |
-| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
-| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
-| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
-| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
-| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
-
-### User Account Control: Admin Approval Mode for the built-in Administrator account
-
-The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
-
-The options are:
-
-- **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
-- **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-
-### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
-
-The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-
-The options are:
-
-- **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-- **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
-
-UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
-
-UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
-
-- ...\\Program Files, including subfolders
-- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
-- ...\\Windows\\System32
-
-The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
-
-While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
-
-If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
-
-If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
-
-This policy setting does not change the behavior of the UAC elevation prompt for administrators.
-
-If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
-
-
-### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
-The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators.
-
-The options are:
-
-- **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
-
- **Note** Use this option only in the most constrained environments.
-
-- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-- **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-- **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-
-
-### User Account Control: Behavior of the elevation prompt for standard users
-
-The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users.
-
-The options are:
-
-- **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for credentials.** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
-### User Account Control: Detect application installations and prompt for elevation
-
-The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
-
-The options are:
-
-- **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
-
-### User Account Control: Only elevate executables that are signed and validated
-
-The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
-
-The options are:
-
-- **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run.
-- **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
-
-### User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-
-- ...\\Program Files, including subfolders
-- ...\\Windows\\system32
-- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
-
-**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-The options are:
-
-- **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
-- **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
-
-### User Account Control: Run all administrators in Admin Approval Mode
-
-The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-The options are:
-
-- **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
-- **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
-
-**Note** If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
-
-### User Account Control: Switch to the secure desktop when prompting for elevation
-
-The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
-
-The options are:
-
-- **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-- **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
-
-When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
-
-| Administrator policy setting | Enabled | Disabled |
-| - | - | - |
-| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-
-When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
-
-| Standard policy setting | Enabled | Disabled |
-| - | - | - |
-| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
-| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-
-### User Account Control: Virtualize file and registry write failures to per-user locations
-
-The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
-
-The options are:
-
-- **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
-- **Disabled.** Applications that write data to protected locations fail.
-
-## Registry key settings
-
-The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description.
-
-| Registry key | Group Policy setting | Registry setting |
-| - | - | - |
-| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
1 = Enabled |
-| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
1 = Enabled |
-| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
|
-| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials |
-| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
0 = Disabled (default for enterprise) |
-| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled
1 = Enabled |
-| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled
1 (Default) = Enabled |
-| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled
1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
1 (Default) = Enabled |
-| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled
1 (Default) = Enabled |
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
deleted file mode 100644
index e85aae3ab9..0000000000
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: User Account Control (Windows)
-description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
-ms.collection:
- - highpri
- - tier2
-ms.topic: article
-ms.date: 09/24/2011
----
-
-# User Account Control
-
-User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-
-UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
-
-Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
-
-When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
-
-## Practical applications
-
-Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
-
-
-## In this section
-
-| Topic | Description |
-| - | - |
-| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
-| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. |
-
-
-
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
deleted file mode 100644
index ffdb4e4a3f..0000000000
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: User Account Control security policy settings (Windows)
-description: You can use security policies to configure how User Account Control works in your organization.
-ms.topic: article
-ms.date: 09/24/2021
----
-
-# User Account Control security policy settings
-
-You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
-
-## User Account Control: Admin Approval Mode for the Built-in Administrator account
-
-This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
-
-- **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
-- **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop
-
-This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-
-- **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-- **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
-
-## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
-This policy setting controls the behavior of the elevation prompt for administrators.
-
-- **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
-
- >**Note:** Use this option only in the most constrained environments.
-
-- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-- **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-- **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-- **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-
-## User Account Control: Behavior of the elevation prompt for standard users
-
-This policy setting controls the behavior of the elevation prompt for standard users.
-
-- **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-- **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
-## User Account Control: Detect application installations and prompt for elevation
-
-This policy setting controls the behavior of application installation detection for the computer.
-
-- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Disabled** App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Intune should disable this policy setting. In this case, installer detection is unnecessary.
-
-## User Account Control: Only elevate executable files that are signed and validated
-
-This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
-
-- **Enabled** Enforces the certificate certification path validation for a given executable file before it's permitted to run.
-- **Disabled** (Default) Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
-
-## User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:
-
-- …\\Program Files\\, including subfolders
-- …\\Windows\\system32\\
-- …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
-
->**Note:** Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-- **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
-- **Disabled** An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
-
-## User Account Control: Turn on Admin Approval Mode
-
-This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-- **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately. They'll allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
-- **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
-
-## User Account Control: Switch to the secure desktop when prompting for elevation
-
-This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
-
-- **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-- **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
-
-## User Account Control: Virtualize file and registry write failures to per-user locations
-
-This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
-
-- **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry.
-- **Disabled** Apps that write data to protected locations fail.
diff --git a/windows/security/identity-protection/virtual-smart-cards/toc.yml b/windows/security/identity-protection/virtual-smart-cards/toc.yml
new file mode 100644
index 0000000000..68842b6001
--- /dev/null
+++ b/windows/security/identity-protection/virtual-smart-cards/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: Virtual Smart Card overview
+ href: virtual-smart-card-overview.md
+ items:
+ - name: Understand and evaluate virtual smart cards
+ href: virtual-smart-card-understanding-and-evaluating.md
+ items:
+ - name: Get started with virtual smart cards
+ href: virtual-smart-card-get-started.md
+ - name: Use virtual smart cards
+ href: virtual-smart-card-use-virtual-smart-cards.md
+ - name: Deploy virtual smart cards
+ href: virtual-smart-card-deploy-virtual-smart-cards.md
+ - name: Evaluate virtual smart card security
+ href: virtual-smart-card-evaluate-security.md
+ - name: Tpmvscmgr
+ href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 9d8e125298..e3348db8ba 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -1,5 +1,5 @@
---
-title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
+title: Get Started with Virtual Smart Cards - Walkthrough Guide
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.topic: conceptual
ms.date: 02/22/2023
diff --git a/windows/security/identity-protection/vpn/images/vpn-app-rules.png b/windows/security/identity-protection/vpn/images/vpn-app-rules.png
deleted file mode 100644
index edc4a24209..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-app-rules.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-app-trigger.PNG b/windows/security/identity-protection/vpn/images/vpn-app-trigger.PNG
deleted file mode 100644
index aebd913df5..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-app-trigger.PNG and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png
deleted file mode 100644
index 8098b3445e..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-eap-xml.png b/windows/security/identity-protection/vpn/images/vpn-eap-xml.png
deleted file mode 100644
index 9a90401c88..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-eap-xml.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-name-intune.png b/windows/security/identity-protection/vpn/images/vpn-name-intune.png
deleted file mode 100644
index a7b3bfe3b4..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-name-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-split-route.png b/windows/security/identity-protection/vpn/images/vpn-split-route.png
deleted file mode 100644
index 12c3fe64d6..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-split-route.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-split.png b/windows/security/identity-protection/vpn/images/vpn-split.png
deleted file mode 100644
index b4143ab1e5..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-split.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-traffic-rules.png b/windows/security/identity-protection/vpn/images/vpn-traffic-rules.png
deleted file mode 100644
index fa7b526e80..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-traffic-rules.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
deleted file mode 100644
index 51c5aebb16..0000000000
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: VPN auto-triggered profile options (Windows 10 and Windows 11)
-description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
-ms.date: 09/23/2021
-ms.topic: conceptual
----
-
-# VPN auto-triggered profile options
-
-In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won't have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
-
-- App trigger
-- Name-based trigger
-- Always On
-
-> [!NOTE]
-> Auto-triggered VPN connections will not work if Folder Redirection for AppData is enabled. Either Folder Redirection for AppData must be disabled or the auto-triggered VPN profile must be deployed in system context, which changes the path to where the rasphone.pbk file is stored.
-
-
-## App trigger
-
-VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
-
-The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
-
-[Find a package family name (PFN) for per-app VPN configuration](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
-
-## Name-based trigger
-
-You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
-
-Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
-
-There are four types of name-based triggers:
-
-- Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered.
-- Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered.
-- Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**.
-- All: if used, all DNS resolution should trigger VPN.
-
-
-## Always On
-
-Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the following triggers:
-
-- User sign-in
-- Network change
-- Device screen on
-
-When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
-
-
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers.
-
-## Preserving user Always On preference
-
-Windows has a feature to preserve a user's AlwaysOn preference. In the event that a user manually unchecks the "Connect automatically" checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**.
-
-Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference.
-
-**Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
-**Value:** AutoTriggerDisabledProfilesList
-**Type:** REG_MULTI_SZ
-
-
-## Trusted network detection
-
-This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
-
-Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
-
-
-## Configure app-triggered VPN
-
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
-
-The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
-
-
-
-After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
-
-
-
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
deleted file mode 100644
index 0ae1626c8b..0000000000
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: VPN connection types (Windows 10 and Windows 11)
-description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 08/23/2021
-ms.topic: conceptual
----
-
-# VPN connection types
-
-Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization's private network.
-
-There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
-
-
-
-## Built-in VPN client
-
-- Tunneling protocols
-
- - [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10))
-
- Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
-
- - [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10))
-
- L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
-
- - [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10))
-
- - [SSTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687819(v=ws.10))
-
- SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
-
- > [!NOTE]
- > When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
-
-- Automatic
-
- The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure.
-
- Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
-
-
-
-## Universal Windows Platform VPN plug-in
-
-The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there was originally separate version available for the Windows 8.1 PC platform. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
-
-There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
-
-## Configure connection type
-
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
-
-The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
-
-> [!div class="mx-imgBorder"]
-> 
-
-In Intune, you can also include custom XML for third-party plug-in profiles:
-
-> [!div class="mx-imgBorder"]
-> 
-
-
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
deleted file mode 100644
index 2c6402477a..0000000000
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: VPN name resolution (Windows 10 and Windows 11)
-description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
-ms.date: 09/23/2021
-ms.topic: conceptual
----
-
-# VPN name resolution
-
-When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
-
-The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces.
-
-## Name Resolution Policy table (NRPT)
-
-The NRPT is a table of namespaces that determines the DNS client's behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
-
-There are 3 types of name matches that can set up for NRPT:
-
-- Fully qualified domain name (FQDN) that can be used for direct matching to a name
-
-- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
-
-- Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
-
-NRPT is set using the **VPNv2/*ProfileName*/DomainNameInformationList** node of the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). This node also configures Web proxy server or domain name servers.
-
-[Learn more about NRPT](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee649207(v=ws.10))
-
-
-## DNS suffix
-
-This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
-
-Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
-
-
-
-[Learn more about primaryDNS suffix](/previous-versions/windows/it-pro/windows-2000-server/cc959611(v=technet.10))
-
-## Persistent
-
-You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over the VPN.
-
-Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
-
-
-
-## Configure name resolution
-
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
-
-The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
-
-
-
-The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
-
-| Field | XML |
-| --- | --- |
-| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
-| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
-| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
-
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
deleted file mode 100644
index 925b124da9..0000000000
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-ms.date: 09/23/2021
-title: VPN routing decisions
-description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
-ms.topic: conceptual
----
-# VPN routing decisions
-
-Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
-
-## Split tunnel configuration
-
-In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface.
-
-Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
-
-For each route item in the list, the following can be specified:
-
-- **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
-- **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
-- **Exclusion route**: VPNv2/*ProfileName*/RouteList/*routeRowId*/ExclusionRoute
-
- Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface.
-
-Routes can also be added at connect time through the server for UWP VPN apps.
-
-## Force tunnel configuration
-
-In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified.
-
-The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn't a specific route on the physical interface itself.
-
-For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
-
-For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in indicates the default route for IPv4 and IPv6 as the only two Inclusion routes, the VPN platform marks the connection as Force Tunneled.
-
-## Configure routing
-
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
-
-When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
-
-
-
-Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.
-
-
-
-
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
deleted file mode 100644
index c4d9da3ec4..0000000000
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: VPN security features
-description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
-ms.date: 07/21/2022
-ms.topic: conceptual
----
-
-# VPN security features
-
-## Hyper-V based containers and VPN
-
-Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues.
-
-For example, for more information on a workaround for Cisco AnyConnect VPN, see [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f).
-
-## Windows Information Protection (WIP) integration with VPN
-
-Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
-
-The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 or Windows 11 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
-
-- Core functionality: File encryption and file access blocking
-- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
-- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
-- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
-
-The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
-
-Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
-
-[Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
-
-
-## Traffic Filters
-
-Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins can use Traffic Filters to effectively add interface specific firewall rules on the VPN Interface. There are two types of Traffic Filter rules:
-
-- App-based rules. With app-based rules, a list of applications can be marked to allow only traffic originating from these apps to go over the VPN interface.
-- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified to allow only traffic matching these rules to go over the VPN interface.
-
-There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level.
-
-For example, an admin could define rules that specify:
-
-- The Contoso HR App must be allowed to go through the VPN and only access port 4545.
-- The Contoso finance apps are allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
-- All other apps on the device should be able to access only ports 80 or 443.
-
-## Configure traffic filters
-
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
-
-The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
-
-
-
-
-## LockDown VPN
-
-A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
-
-- The system attempts to keep the VPN connected at all times.
-- The user cannot disconnect the VPN connection.
-- The user cannot delete or modify the VPN profile.
-- The VPN LockDown profile uses forced tunnel connection.
-- If the VPN connection is not available, outbound network traffic is blocked.
-- Only one VPN LockDown profile is allowed on a device.
-
-> [!NOTE]
-> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
-
-Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
-
-
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
deleted file mode 100644
index 5cbde2e21f..0000000000
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Windows Credential Theft Mitigation Guide Abstract
-description: Provides a summary of the Windows credential theft mitigation guide.
-ms.topic: conceptual
-ms.date: 03/31/2023
----
-
-# Windows Credential Theft Mitigation Guide Abstract
-
-This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
-This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
-
-- Identify high-value assets
-- Protect against known and unknown threats
-- Detect pass-the-hash and related attacks
-- Respond to suspicious activity
-- Recover from a breach
-
-
-
-## Attacks that steal credentials
-
-Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk.
-The types of attacks that are covered include:
-
-- Pass the hash
-- Kerberos pass the ticket
-- Kerberos golden ticket and silver ticket
-- Key loggers
-- Shoulder surfing
-
-## Credential protection strategies
-
-This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers.
-You'll learn how to architect a defense against credential theft:
-
-- Establish a containment model for account privileges
-- Harden and restrict administrative hosts
-- Ensure that security configurations and best practices are implemented
-
-## Technical countermeasures for credential theft
-
-Objectives and expected outcomes are covered for each of these countermeasures:
-
-- Use Windows 10 with Credential Guard
-- Restrict and protect high-privilege domain accounts
-- Restrict and protect local accounts with administrative privileges
-- Restrict inbound network traffic
-
-Many other countermeasures are also covered, such as using Microsoft Passport and Windows Hello, or multifactor authentication.
-
-## Detecting credential attacks
-
-This sections covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
-
-## Responding to suspicious activity
-
-Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.
diff --git a/windows/security/identity.md b/windows/security/identity.md
deleted file mode 100644
index c773cf7055..0000000000
--- a/windows/security/identity.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Windows identity and user security
-description: Get an overview of identity security in Windows 11 and Windows 10
-ms.reviewer:
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Windows identity and privacy
-
-Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
-
-| Security capabilities | Description |
-|:---|:---|
-| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
-| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
-| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
-| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). |
-| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
-| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|
diff --git a/windows/security/images/icons/certificate.svg b/windows/security/images/icons/certificate.svg
new file mode 100644
index 0000000000..3bd8b81da3
--- /dev/null
+++ b/windows/security/images/icons/certificate.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/license.svg b/windows/security/images/icons/license.svg
new file mode 100644
index 0000000000..96ffa5b4eb
--- /dev/null
+++ b/windows/security/images/icons/license.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/includes/sections/application-application-control-overview.md b/windows/security/includes/sections/application-application-control-overview.md
new file mode 100644
index 0000000000..00b89b3535
--- /dev/null
+++ b/windows/security/includes/sections/application-application-control-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Control features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Control features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application-application-isolation-overview.md b/windows/security/includes/sections/application-application-isolation-overview.md
new file mode 100644
index 0000000000..252a6d415b
--- /dev/null
+++ b/windows/security/includes/sections/application-application-isolation-overview.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Isolation features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|❌|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Isolation features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|Yes|Yes|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
new file mode 100644
index 0000000000..247d4a9ae8
--- /dev/null
+++ b/windows/security/includes/sections/application.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Application Control
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
+| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.
Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
+
+## Application Isolation
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
+| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
+| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
+| **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
+| **[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
diff --git a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
new file mode 100644
index 0000000000..3f4998f4bc
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services-update-overview.md b/windows/security/includes/sections/cloud-services-update-overview.md
new file mode 100644
index 0000000000..b20a97756d
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services-update-overview.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Update features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Update features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
new file mode 100644
index 0000000000..4c2d636206
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Protecting Your Work Information
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.
With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
+| **[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
+| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a
Microsoft hosted cloud subscription service that supports a zero-trust security model by
enabling network isolation of printers, including the Universal Print connector software, from
the rest of the organization's resources. |
+
+## Update
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.
The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
+| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
new file mode 100644
index 0000000000..cb297f9fb2
--- /dev/null
+++ b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
new file mode 100644
index 0000000000..fb61005d36
--- /dev/null
+++ b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
new file mode 100644
index 0000000000..52202f35f7
--- /dev/null
+++ b/windows/security/includes/sections/hardware.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Hardware Root-Of-Trust
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
+| **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.
Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
+| **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.
In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
+
+## Silicon Assisted Security (Secured Kernel)
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
+| **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
diff --git a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
new file mode 100644
index 0000000000..c8f646fb31
--- /dev/null
+++ b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
new file mode 100644
index 0000000000..c2666f968d
--- /dev/null
+++ b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
new file mode 100644
index 0000000000..b31aaf1ca9
--- /dev/null
+++ b/windows/security/includes/sections/identity.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Passwordless Sign In
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in.
Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.
For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
+| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
+
+## Advanced Credential Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
+| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md b/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md
new file mode 100644
index 0000000000..68b64731f3
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Data Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Data Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-modern-device-management-overview.md b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
new file mode 100644
index 0000000000..b43f14f6ef
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Modern Device Management features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Modern Device Management features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-network-security-overview.md b/windows/security/includes/sections/operating-system-network-security-overview.md
new file mode 100644
index 0000000000..95b71a85f8
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-network-security-overview.md
@@ -0,0 +1,36 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Network Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Network Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-system-security-overview.md b/windows/security/includes/sections/operating-system-system-security-overview.md
new file mode 100644
index 0000000000..426c265aca
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-system-security-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all System Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all System Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
new file mode 100644
index 0000000000..4853fdc620
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
@@ -0,0 +1,34 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes|
diff --git a/windows/security/includes/sections/operating-system.md b/windows/security/includes/sections/operating-system.md
new file mode 100644
index 0000000000..92fb6e2756
--- /dev/null
+++ b/windows/security/includes/sections/operating-system.md
@@ -0,0 +1,61 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## System Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
+| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+
+## Virus And Threat Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
+| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.
LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
+| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.
Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
+| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
+| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the Windows Security app. |
+| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
+| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
+| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
+
+## Network Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
+| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
+| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
+| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
+| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
+| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
+| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.
SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
+
+## Encryption And Data Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD. |
+| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+
+## Modern Device Management
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
diff --git a/windows/security/includes/sections/privacy.md b/windows/security/includes/sections/privacy.md
new file mode 100644
index 0000000000..cb5118754a
--- /dev/null
+++ b/windows/security/includes/sections/privacy.md
@@ -0,0 +1,6 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
diff --git a/windows/security/includes/sections/security-foundations-certification-overview.md b/windows/security/includes/sections/security-foundations-certification-overview.md
new file mode 100644
index 0000000000..78601c07dd
--- /dev/null
+++ b/windows/security/includes/sections/security-foundations-certification-overview.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Certification features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Certification features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
new file mode 100644
index 0000000000..8c3cd14c92
--- /dev/null
+++ b/windows/security/includes/sections/security-foundations.md
@@ -0,0 +1,13 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Certification
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index ce7aece4b4..711ec3f94b 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -10,7 +10,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
@@ -42,13 +41,13 @@ landingContent:
- text: Trusted Platform Module
url: information-protection/tpm/trusted-platform-module-top-node.md
- text: Windows Defender System Guard firmware protection
- url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+ url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
- text: System Guard Secure Launch and SMM protection enablement
- url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+ url: hardware-security/system-guard-secure-launch-and-smm-protection.md
- text: Virtualization-based protection of code integrity
- url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+ url: hardware-security/enable-virtualization-based-protection-of-code-integrity.md
- text: Kernel DMA Protection
- url: information-protection/kernel-dma-protection-for-thunderbolt.md
+ url: hardware-security/kernel-dma-protection-for-thunderbolt.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
@@ -57,19 +56,17 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: operating-system.md
+ url: operating-system-security/index.md
- linkListType: concept
links:
- - text: System security
- url: trusted-boot.md
- - text: Encryption and data protection
- url: encryption-data-protection.md
+ - text: Trusted boot
+ url: operating-system-security\system-security\trusted-boot.md
- text: Windows security baselines
- url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+ url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide
- url: identity-protection/vpn/vpn-guide.md
+ url: operating-system-security/network-security/vpn/vpn-guide.md
- text: Windows Defender Firewall
- url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+ url: operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
- text: Virus & threat protection
url: threat-protection/index.md
# Cards and links should be based on top customer tasks or top subjects
@@ -80,21 +77,21 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: apps.md
+ url: application-security/index.md
- linkListType: concept
links:
- text: Application Control and virtualization-based protection
- url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ url: application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- text: Application Control
- url: threat-protection/windows-defender-application-control/windows-defender-application-control.md
+ url: application-security/application-control/windows-defender-application-control/wdac.md
- text: Application Guard
- url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+ url: application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
- text: Windows Sandbox
- url: threat-protection/windows-sandbox/windows-sandbox-overview.md
+ url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md
- text: Microsoft Defender SmartScreen
- url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+ url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md
- text: S/MIME for Windows
- url: identity-protection/configure-s-mime.md
+ url: operating-system-security/data-protection/configure-s-mime.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
@@ -107,9 +104,7 @@ landingContent:
- linkListType: concept
links:
- text: Windows Hello for Business
- url: identity-protection/hello-for-business/hello-overview.md
- - text: Windows Credential Theft Mitigation
- url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+ url: identity-protection/hello-for-business/index.md
- text: Protect domain credentials
url: identity-protection/credential-guard/credential-guard.md
- text: Windows Defender Credential Guard
@@ -125,10 +120,6 @@ landingContent:
# Card (optional)
- title: Cloud services
linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: cloud.md
- linkListType: concept
links:
- text: Mobile device management
@@ -140,7 +131,7 @@ landingContent:
- text: OneDrive
url: /onedrive/onedrive
- text: Family safety
- url: threat-protection/windows-defender-security-center/wdsc-family-options.md
+ url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
@@ -149,7 +140,7 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: security-foundations.md
+ url: security-foundations/index.md
- linkListType: reference
links:
- text: Microsoft Security Development Lifecycle
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
deleted file mode 100644
index daa9cba013..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
- description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.collection:
- - highpri
- - tier1
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker and Active Directory Domain Services (AD DS) FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- What type of information is stored in AD DS?
- answer: |
- Stored information | Description
- -------------------|------------
- Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
- BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
- BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
-
- - question: |
- What if BitLocker is enabled on a computer before the computer has joined the domain?
- answer: |
- If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
-
- For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
- The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
-
- ```powershell
- $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
- $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
-
- Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
- BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
- ```
-
- > [!IMPORTANT]
- > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
-
- - question: |
- Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
- answer: |
- Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
-
- Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
-
- - question: |
- If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
- answer: |
- No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.
-
- - question: |
- What happens if the backup initially fails? Will BitLocker retry it?
- answer: |
- If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
-
- When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
-
- For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
- When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
-
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
deleted file mode 100644
index dbea4c718a..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ /dev/null
@@ -1,89 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker deployment and administration FAQ (Windows 10)
- description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker frequently asked questions (FAQ)
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-sections:
- - name: Ignored
- questions:
- - question: Can BitLocker deployment be automated in an enterprise environment?
- answer: |
- Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
-
- - question: Can BitLocker encrypt more than just the operating system drive?
- answer: Yes.
-
- - question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
- answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
-
- - question: How long will initial encryption take when BitLocker is turned on?
- answer: |
- Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used.
-
- When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
-
- - question: What happens if the computer is turned off during encryption or decryption?
- answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
-
- - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
- answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
-
- - question: How can I prevent users on a network from storing data on an unencrypted drive?
- answer: |
- Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
- When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
-
- - question: What is Used Disk Space Only encryption?
- answer: |
- BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
-
- - question: What system changes would cause the integrity check on my operating system drive to fail?
- answer: |
- The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
-
- - Moving the BitLocker-protected drive into a new computer.
- - Installing a new motherboard with a new TPM.
- - Turning off, disabling, or clearing the TPM.
- - Changing any boot configuration settings.
- - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
-
- - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
- answer: |
- Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
- For example:
-
- - Changing the BIOS boot order to boot another drive in advance of the hard drive.
- - Adding or removing hardware, such as inserting a new card in the computer.
- - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
-
- In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
- The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
-
- - question: What can prevent BitLocker from binding to PCR 7?
- answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
-
- - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
- answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
-
- - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
- answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
-
- - question: Why is **Turn BitLocker on** not available when I right-click a drive?
- answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
-
- - question: What type of disk configurations are supported by BitLocker?
- answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
deleted file mode 100644
index e922e90f32..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: BitLocker deployment comparison (Windows 10)
-description: This article shows the BitLocker deployment comparison chart.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
----
-
-# BitLocker deployment comparison
-
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This article depicts the BitLocker deployment comparison chart.
-
-## BitLocker deployment comparison chart
-
-| Requirements |Microsoft Intune |Microsoft Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
-|---------|---------|---------|---------|
-|*Minimum client operating system version* |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
-|*Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
-|*Minimum Windows version* |1909 | None | None |
-|*Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
-|*Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
-|*Cloud or on premises* | Cloud | On premises | On premises |
-|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
-|*Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
-|*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Encryption for storage cards (mobile)* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
-|*Allow recovery password* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Manage startup authentication* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Select cipher strength and algorithms for fixed drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Select cipher strength and algorithms for removable drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Select cipher strength and algorithms for operating environment drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
-|*Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
-|*Customize preboot message and recovery link* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Allow/deny key file creation* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Deny Write permission to unprotected drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Can be administered outside company network* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
-|*Support for organization unique IDs* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Self-service recovery* | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Wait to complete encryption until recovery information is backed up to Azure AD* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
-|*Wait to complete encryption until recovery information is backed up to Active Directory* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Allow or deny Data Recovery Agent* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Unlock a volume using certificate with custom object identifier* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Prevent memory overwrite on restart* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
-|*Manage auto-unlock functionality* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
deleted file mode 100644
index 4f7256eadb..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker FAQ (Windows 10)
- description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.collection:
- - highpri
- - tier1
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker frequently asked questions (FAQ) resources
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
- This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
-
- - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- - [Upgrading](bitlocker-upgrading-faq.yml)
- - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- - [Key management](bitlocker-key-management-faq.yml)
- - [BitLocker To Go](bitlocker-to-go-faq.yml)
- - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
- - [Security](bitlocker-security-faq.yml)
- - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
- - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
-
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- More information
- answer: |
- - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
- - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
deleted file mode 100644
index ad23cc6714..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ /dev/null
@@ -1,119 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker Key Management FAQ (Windows 10)
- description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker Key Management FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-sections:
- - name: Ignored
- questions:
- - question: How can I authenticate or unlock my removable data drive?
- answer: |
- Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
-
- ```cmd
- Manage-bde.exe -protectors -add e: -sid domain\username
- ```
-
- - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
- answer: |
- For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
-
- - question: How can the recovery password and recovery key be stored?
- answer: |
- The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
-
- For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
-
- A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
-
- - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
- answer: |
- The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
-
- ```cmd
- manage-bde.exe -protectors -delete %systemdrive% -type tpm
-
- manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
- ```
-
-
- - question: When should an additional method of authentication be considered?
- answer: |
- New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack.
- For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
-
- - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
- answer: |
- BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
-
- > [!IMPORTANT]
- > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location.
-
- - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
- answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
-
- - question: Can I save the startup key on multiple USB flash drives?
- answer: Yes, computer's startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide the options to save the recovery keys on additional USB flash drives as needed.
-
- - question: Can I save multiple (different) startup keys on the same USB flash drive?
- answer: Yes, BitLocker startup keys for different computers can be saved on the same USB flash drive.
-
- - question: Can I generate multiple (different) startup keys for the same computer?
- answer: Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
-
- - question: Can I generate multiple PIN combinations?
- answer: Generating multiple PIN combinations can't be done.
-
- - question: What encryption keys are used in BitLocker? How do they work together?
- answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on the authentication (that is, key protectors or TPM) and recovery scenarios.
-
- - question: Where are the encryption keys stored?
- answer: |
- The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
-
- This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
-
- - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
- answer: |
- The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards.
-
- When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
-
- - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
- answer: |
- It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
-
- The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
- After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
-
- - question: How can I determine the manufacturer of my TPM?
- answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
-
- - question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
- answer: |
- The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
-
- - How many failed authorization attempts can occur before lockout?
- - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- - What actions can cause the failure count and lockout duration to be decreased or reset?
-
- - question: Can PIN length and complexity be managed with Group Policy?
- answer: |
- Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
-
- For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
deleted file mode 100644
index 9683743787..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker Network Unlock FAQ (Windows 10)
- description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.topic: faq
- ms.date: 11/08/2022
- ms.reviewer:
- ms.custom: bitlocker
-title: BitLocker Network Unlock FAQ
-summary: |
- **Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
-
-sections:
- - name: Ignored
- questions:
- - question: |
- BitLocker Network Unlock FAQ
- answer: |
- BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
-
- To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
-
- BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used.
-
- Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
-
- For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
deleted file mode 100644
index 3243fdb178..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker overview and requirements FAQ (Windows 10)
- description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.collection:
- - highpri
- - tier1
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker Overview and Requirements FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-sections:
- - name: Ignored
- questions:
- - question: How does BitLocker work?
- answer: |
- **How BitLocker works with operating system drives**
-
- BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
-
- **How BitLocker works with fixed and removable data drives**
-
- BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
-
- - question: Does BitLocker support multifactor authentication?
- answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
-
- - question: What are the BitLocker hardware and software requirements?
- answer: |
- For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
-
- > [!NOTE]
- > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
-
- - question: Why are two partitions required? Why does the system drive have to be so large?
- answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
-
- - question: Which Trusted Platform Modules (TPMs) does BitLocker support?
- answer: |
- BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.
-
- > [!NOTE]
- > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
- >
- > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
-
- - question: How can I tell if a computer has a TPM?
- answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
-
- - question: Can I use BitLocker on an operating system drive without a TPM?
- answer: |
- Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
- To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
-
- - question: How do I obtain BIOS support for the TPM on my computer?
- answer: |
- Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
-
- - It's compliant with the TCG standards for a client computer.
- - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
-
- - question: What credentials are required to use BitLocker?
- answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
-
- - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
- answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
deleted file mode 100644
index a3b7a72ca1..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: BitLocker
-description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-manager: aaroncz
-ms.collection:
- - highpri
- - tier1
-ms.topic: conceptual
-ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
----
-
-# BitLocker
-
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-
-## BitLocker overview
-
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
-
-BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
-
-On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
-
-In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
-
-## Practical applications
-
-Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
-
-There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker.
-
-- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
-
- By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator.
-
-- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
-BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
-
-## New and changed functionality
-
-To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
-
-## System requirements
-
-BitLocker has the following hardware requirements:
-
-For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker.
-
-A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
-
-The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
-
-> [!IMPORTANT]
-> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
-
-> [!NOTE]
-> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
-
-> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
-
-The hard disk must be partitioned with at least two drives:
-
-- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
-- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
-
-When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
-
-A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives.
-
-When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
-
-## In this section
-
-| Article | Description |
-| - | - |
-| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This article provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. |
-| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This article answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
-| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This article explains the procedure you can use to plan your BitLocker deployment. |
-| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This article explains how BitLocker features can be used to protect your data through drive encryption. |
-| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This article explains how to deploy BitLocker on Windows Server.|
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This article describes how BitLocker Network Unlock works and how to configure it. |
-| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This article describes how to use tools to manage BitLocker.|
-| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This article describes how to use the BitLocker Recovery Password Viewer. |
-| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
-| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
-| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
-| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
-| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
-| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
-| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
deleted file mode 100644
index 8b53e2e639..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker Security FAQ
- description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker Security FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- What form of encryption does BitLocker use? Is it configurable?
- answer: |
- BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
-
- - question: |
- What is the best practice for using BitLocker on an operating system drive?
- answer: |
- The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
-
- - question: |
- What are the implications of using the sleep or hibernate power management options?
- answer: |
- BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
-
- - question: |
- What are the advantages of a TPM?
- answer: |
- Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
-
- > [!NOTE]
- > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
deleted file mode 100644
index c780b6ee5a..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker To Go FAQ
- description: "Learn more about BitLocker To Go"
- ms.prod: windows-client
- ms.technology: itpro-security
- ms.author: frankroj
- author: frankroj
- manager: aaroncz
- audience: ITPro
- ms.topic: faq
- ms.date: 11/08/2022
- ms.custom: bitlocker
-title: BitLocker To Go FAQ
-summary: |
- **Applies to:**
- - Windows 10
-
-
-sections:
- - name: Ignored
- questions:
- - question: What is BitLocker To Go?
- answer: |
- BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
-
- - USB flash drives
- - SD cards
- - External hard disk drives
- - Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
-
- Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
-
- As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
deleted file mode 100644
index 13441d1f58..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: BitLocker Upgrading FAQ
- description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- ms.topic: faq
- ms.date: 11/08/2022
- ms.reviewer:
- ms.custom: bitlocker
-title: BitLocker Upgrading FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- Can I upgrade to Windows 10 with BitLocker enabled?
- answer: |
- Yes.
-
- - question: |
- What is the difference between suspending and decrypting BitLocker?
- answer: |
- **Decrypt** completely removes BitLocker protection and fully decrypts the drive.
-
- **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
-
- - question: |
- Do I have to suspend BitLocker protection to download and install system updates and upgrades?
- answer: |
- No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
- Users need to suspend BitLocker for Non-Microsoft software updates, such as:
-
- - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
- - Non-Microsoft application updates that modify the UEFI\BIOS configuration.
- - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
- - BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
-
-
- > [!NOTE]
- > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
deleted file mode 100644
index 1592e527a6..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
-description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection:
- - highpri
- - tier1
-ms.topic: conceptual
-ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
----
-
-# BitLocker: Use BitLocker Recovery Password Viewer
-
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This article describes how to use the BitLocker Recovery Password Viewer.
-
-The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS) be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords.
-
-Additionally a domain container can be searched for BitLocker recovery password across all the domains in the Active Directory forest via a right-click. Passwords can also be searched by password identifier (ID).
-
-## Before starting
-
-To complete the procedures in this scenario, the following requirements must be met:
-
-- Domain administrator credentials.
-- Test computers must be joined to the domain.
-- On the domain-joined test computers, BitLocker must have been turned on.
-
-The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
-
-### To view the recovery passwords for a computer
-
-1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located.
-
-2. Right-click the computer object, and then select **Properties**.
-
-3. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
-
-### To copy the recovery passwords for a computer
-
-1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.
-
-2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**.
-
-3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
-
-### To locate a recovery password by using a password ID
-
-1. In Active Directory Users and Computers, right-click the domain container, and then select **Find BitLocker Recovery Password**.
-
-2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then select **Search**.
-
-By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password.
-
-## Related articles
-
-- [BitLocker Overview](bitlocker-overview.md)
-- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
-- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
deleted file mode 100644
index 4d0267a25a..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ /dev/null
@@ -1,118 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: Using BitLocker with other programs FAQ
- description: Learn how to integrate BitLocker with other software on a device.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- ms.topic: faq
- ms.date: 11/08/2022
-title: Using BitLocker with other programs FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- Can I use EFS with BitLocker?
- answer: |
- Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
-
- - question: |
- Can I run a kernel debugger with BitLocker?
- answer: |
- Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode.
-
- - question: |
- How does BitLocker handle memory dumps?
- answer: |
- BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
-
- - question: |
- Can BitLocker support smart cards for pre-boot authentication?
- answer: |
- BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
-
- - question: |
- Can I use a non-Microsoft TPM driver?
- answer: |
- Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker.
-
- - question: |
- Can other tools that manage or modify the master boot record work with BitLocker?
- answer: |
- We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
-
- - question: |
- Why is the system check failing when I'm encrypting my operating system drive?
- answer: |
- The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
-
- - The computer's BIOS or UEFI firmware can't read USB flash drives.
- - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
- - There are multiple USB flash drives inserted into the computer.
- - The PIN wasn't entered correctly.
- - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
- - The startup key was removed before the computer finished rebooting.
- - The TPM has malfunctioned and fails to unseal the keys.
-
- - question: |
- What can I do if the recovery key on my USB flash drive can't be read?
- answer: |
- Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
-
- - question: |
- Why am I unable to save my recovery key to my USB flash drive?
- answer: |
- The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
-
- - question: |
- Why am I unable to automatically unlock my drive?
- answer: |
- Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers.
-
- - question: |
- Can I use BitLocker in Safe Mode?
- answer: |
- Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode.
-
- - question: |
- How do I "lock" a data drive?
- answer: |
- Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command.
-
- > [!NOTE]
- > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
-
- The syntax of this command is:
-
- ```cmd
- manage-bde.exe
Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
-|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](./create-and-verify-an-efs-dra-certificate.md) topic.|
+|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic.|
>[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index 1ee0d46093..529715e6d2 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,5 +1,5 @@
---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10)
+title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.prod: windows-client
ms.localizationpriority: medium
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 7d74fb57ea..95ecaef6c6 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,5 +1,5 @@
---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+title: Create a Windows Information Protection (WIP) policy using Microsoft Intune
description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
ms.reviewer:
ms.prod: windows-client
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 903e701613..326bd9fdc7 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -1,5 +1,5 @@
---
-title: Recommended URLs for Windows Information Protection (Windows 10)
+title: Recommended URLs for Windows Information Protection
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
@@ -28,7 +28,7 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s)|
|-----------------------------|---------------------------------------------------------------------|
|Sharepoint Online |- `contoso.sharepoint.com`
- `contoso-my.sharepoint.com`
- `contoso-files.sharepoint.com` |
-|Yammer |- `www.yammer.com`
- `yammer.com`
- `persona.yammer.com` |
+|Viva Engage |- `www.yammer.com`
- `yammer.com`
- `persona.yammer.com` |
|Outlook Web Access (OWA) |- `outlook.office.com`
- `outlook.office365.com`
- `attachments.office.net` |
|Microsoft Dynamics |`contoso.crm.dynamics.com` |
|Visual Studio Online |`contoso.visualstudio.com` |
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index ea2cab423d..6ae2852d49 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -1,5 +1,5 @@
---
-title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
+title: Testing scenarios for Windows Information Protection (WIP)
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
ms.reviewer:
ms.prod: windows-client
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index ff1df3609e..43ac28801a 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -1,5 +1,5 @@
---
-title: Using Outlook on the web with WIP (Windows 10)
+title: Using Outlook on the web with WIP
description: Options for using Outlook on the web with Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 7404e870dc..f2c6ad57af 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -1,5 +1,5 @@
---
-title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
+title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
new file mode 100644
index 0000000000..781c24730c
--- /dev/null
+++ b/windows/security/introduction/index.md
@@ -0,0 +1,56 @@
+---
+title: Introduction to Windows security
+description: System security book.
+ms.date: 04/24/2023
+ms.topic: tutorial
+ms.author: paoloma
+content_well_notification:
+ - AI-contribution
+author: paolomatarazzo
+appliesto:
+ - ✅ Windows 11
+---
+
+# Introduction to Windows security
+
+The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
+
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+
+## How Windows 11 enables Zero Trust protection
+
+A Zero Trust security model gives the right people the right access at the right time. Zero Trust security is based on three principles:
+
+1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
+1. When verified, give people and devices access to only necessary resources for the necessary amount of time
+1. Use continuous analytics to drive threat detection and improve defenses
+
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+
+### Security, by default
+
+Windows 11 is a natural evolution of its predecessor, Windows 10. We have collaborated with our manufacturer and silicon partners to incorporate extra hardware security measures that address the increasingly complex security threats of today. These measures not only enable the hybrid work and learning that many organizations now embrace but also help bolster our already strong foundation and resilience against attacks.
+
+### Enhanced hardware and operating system security
+
+With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
+
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+
+### Robust application security and privacy controls
+
+To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
+
+In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/device-experiences/oem-app-guard) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
+
+### Secured identities
+
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+
+### Connecting to cloud services
+
+Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Azure Active Directory and Microsoft Azure Attestation to control access to applications and data through the cloud.
+
+## Next steps
+
+To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
new file mode 100644
index 0000000000..6b192f2171
--- /dev/null
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -0,0 +1,31 @@
+---
+title: Windows security features licensing and edition requirements
+description: Learn about Windows licensing and edition requirements for the features included in Windows.
+ms.collection:
+- tier2
+ms.topic: conceptual
+ms.date: 06/15/2023
+appliesto:
+- ✅ Windows 11
+ms.author: paoloma
+author: paolomatarazzo
+ms.prod: windows-client
+---
+
+# Windows security features licensing and edition requirements
+
+This article lists the security features that are available in Windows.
+
+Select one of the two tabs to learn about licensing requirements to use the security features, or to learn about the Windows edition requirements that support them:
+
+#### [:::image type="icon" source="images/icons/certificate.svg" border="false"::: **Licensing requirements**](#tab/licensing)
+
+[!INCLUDE [licensing-requirements](../../includes/licensing/_licensing-requirements.md)]
+
+#### [:::image type="icon" source="images/icons/windows-os.svg" border="false"::: **Edition requirements**](#tab/edition)
+
+[!INCLUDE [_edition-requirements](../../includes/licensing/_edition-requirements.md)]
+
+---
+
+For more information about Windows licensing, see [Windows Commercial Licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index c8a7446c07..cf39c89999 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,16 +1,8 @@
---
-title: BCD settings and BitLocker (Windows 10)
+title: BCD settings and BitLocker
description: This article for IT professionals describes the BCD settings that are used by BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Boot Configuration Data settings and BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
index 3518062515..52cc2816b8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,26 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker basic deployment
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
## Using BitLocker to encrypt volumes
@@ -466,4 +452,4 @@ Disable-BitLocker -MountPoint E:,F:,G:
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
similarity index 91%
rename from windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
index bc4ad1b106..46118e83d3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
@@ -1,26 +1,12 @@
---
-title: BitLocker Countermeasures (Windows 10)
+title: BitLocker Countermeasures
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker Countermeasures
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
@@ -45,7 +31,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
@@ -62,7 +48,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid
### Pre-boot authentication
-Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
+Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
@@ -70,11 +56,11 @@ Pre-boot authentication is designed to prevent the encryption keys from being lo
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
-- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
+- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
-- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
@@ -86,11 +72,11 @@ Pre-boot authentication with a PIN can mitigate an attack vector for devices tha
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
-To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
+To address these issues, [BitLocker Network Unlock](bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
### Protecting Thunderbolt and other DMA ports
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
+There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
@@ -106,13 +92,13 @@ If kernel DMA protection isn't enabled, follow these steps to protect Thunderbol
- MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
- - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
+ - Group Policy: [Disable new DMA devices when this computer is locked](bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
## Attack countermeasures
-This section covers countermeasures for specific types of attacks.
+This section covers countermeasures for specific types of attacks.
### Bootkits and rootkits
@@ -142,7 +128,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
### Tricking BitLocker to pass the key to a rogue operating system
An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
-
+
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
## Attacker countermeasures
@@ -180,7 +166,7 @@ Mitigation:
> [!IMPORTANT]
> These settings are **not configured** by default.
-For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](./bitlocker-group-policy-settings.md) is:
+For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](bitlocker-group-policy-settings.md) is:
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
@@ -192,6 +178,6 @@ For secure administrative workstations, Microsoft recommends a TPM with PIN prot
## Related articles
- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
-- [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md)
+- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
new file mode 100644
index 0000000000..1654153fec
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -0,0 +1,49 @@
+---
+title: BitLocker deployment comparison
+description: This article shows the BitLocker deployment comparison chart.
+ms.topic: conceptual
+ms.date: 11/08/2022
+---
+
+# BitLocker deployment comparison
+
+This article depicts the BitLocker deployment comparison chart.
+
+## BitLocker deployment comparison chart
+
+| Requirements | Microsoft Intune | Microsoft Configuration Manager | Microsoft BitLocker Administration and Monitoring (MBAM) |
+|--|--|--|--|
+| *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
+| *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
+| *Minimum Windows version* | 1909 | None | None |
+| *Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
+| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
+| *Cloud or on premises* | Cloud | On premises | On premises |
+| Server components required? | | ✅ | ✅ |
+| *Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
+| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
+| *Administrative portal installation required* | | ✅ | ✅ |
+| *Compliance reporting capabilities* | ✅ | ✅ | ✅ |
+| *Force encryption* | ✅ | ✅ | ✅ |
+| *Encryption for storage cards (mobile)* | ✅ | ✅ | |
+| *Allow recovery password* | ✅ | ✅ | ✅ |
+| *Manage startup authentication* | ✅ | ✅ | ✅ |
+| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
+| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
+| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
+| *Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
+| *Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
+| *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
+| *Allow/deny key file creation* | ✅ | ✅ | ✅ |
+| *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
+| *Can be administered outside company network* | ✅ | ✅ | |
+| *Support for organization unique IDs* | | ✅ | ✅ |
+| *Self-service recovery* | Yes (through Azure AD or Company Portal app) | ✅ | ✅ |
+| *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
+| *Wait to complete encryption until recovery information is backed up to Azure AD* | ✅ | | |
+| *Wait to complete encryption until recovery information is backed up to Active Directory* | | ✅ | ✅ |
+| *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
+| *Unlock a volume using certificate with custom object identifier* | | ✅ | ✅ |
+| *Prevent memory overwrite on restart* | | ✅ | ✅ |
+| *Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | ✅ |
+| *Manage auto-unlock functionality* | | ✅ | ✅ |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index c0f495b8a6..d93426076e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -1,29 +1,16 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# Overview of BitLocker Device Encryption in Windows
+# Overview of BitLocker device encryption
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles.
+This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles.
When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
@@ -31,7 +18,6 @@ When users travel, their organization's confidential data goes with them. Wherev
The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
-
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
@@ -126,7 +112,7 @@ Requiring a PIN at startup is a useful security feature because it acts as a sec
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
-For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
+For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md).
## Configure Network Unlock
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
index a70f0199da..5f0f058507 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1,35 +1,21 @@
---
-title: BitLocker Group Policy settings (Windows 10)
+title: BitLocker Group Policy settings
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker group policy settings
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
> [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
@@ -233,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
@@ -452,7 +438,7 @@ When set to **Do not allow complexity**, no password complexity validation is do
> [!NOTE]
> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Validate smart card certificate usage rule compliance
@@ -1306,7 +1292,7 @@ The optional recovery key can be saved to a USB drive. Because recovery password
The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
## Power management group policy settings: Sleep and Hibernate
@@ -1337,6 +1323,6 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
-- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
+- [BitLocker overview](index.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
similarity index 64%
rename from windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 9d743637c9..1c64084bcd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -1,57 +1,32 @@
---
-title: BitLocker How to deploy on Windows Server 2012 and later
-description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
+title: BitLocker How to deploy on Windows Server
+description: This article for the IT professional explains how to deploy BitLocker and Windows Server
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# BitLocker: How to deploy on Windows Server 2012 and later
+# BitLocker: How to deploy on Windows Server
-**Applies to:**
-
-- Windows Server 2012
-- Windows Server 2012 R2
-- Windows Server 2016 and above
-
-This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
+This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
## Installing BitLocker
### To install BitLocker using server manager
-1. Open server manager by selecting the server manager icon or running servermanager.exe.
-
-2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-
-3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-
-4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-
-5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-
-6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
-
+1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
+1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
+1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
+1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
+1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
+1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
> [!NOTE]
> Server roles and features are installed by using the same wizard in Server Manager.
-
-7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**.
-
+1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
> [!NOTE]
> The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-
-8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
-
-9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-
-10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
+1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
### To install BitLocker using Windows PowerShell
@@ -64,7 +39,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
-By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
+By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
```powershell
Install-WindowsFeature BitLocker -WhatIf
@@ -72,7 +47,7 @@ Install-WindowsFeature BitLocker -WhatIf
The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
-To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
+To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
@@ -88,7 +63,7 @@ The result of this command displays the following list of all the administration
- AD DS Tools
- AD DS and AD LDS Tools
-The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
+The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
@@ -99,13 +74,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
### Using the dism module to install BitLocker
-The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
+The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
```powershell
Get-WindowsOptionalFeature -Online | ft
```
-From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
+From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
To install BitLocker using the `dism.exe` module, use the following command:
@@ -121,7 +96,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
-- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker overview](index.md)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 37a5af8983..11f7b07e86 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -1,26 +1,12 @@
---
-title: BitLocker - How to enable Network Unlock (Windows 10)
+title: BitLocker - How to enable Network Unlock
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: How to enable Network Unlock
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes how BitLocker Network Unlock works and how to configure it.
Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
@@ -462,6 +448,6 @@ Follow these steps to configure Network Unlock on these older systems.
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
-- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker overview](index.md)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
similarity index 85%
rename from windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
index 93dc998a8a..c88b6cde1e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -1,26 +1,21 @@
---
-title: BitLocker Management Recommendations for Enterprises (Windows 10)
-description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
+title: BitLocker management
+description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# BitLocker management for enterprises
+# BitLocker management
The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
-Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
+Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
+
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
## Managing domain-joined computers and moving to cloud
-Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
+Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
@@ -35,11 +30,6 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
-> [!NOTE]
-> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users:
-> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
-> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
-
## Managing workplace-joined PCs and phones
For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
@@ -99,10 +89,10 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
## Related Articles
-- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
+- [BitLocker: FAQs](faq.yml)
- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
-- [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md)
+- [BitLocker Group Policy Reference](bitlocker-group-policy-settings.md)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
*(Overview)*
- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
@@ -114,11 +104,10 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
-- [BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)
-- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+- [How to deploy BitLocker on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)
+- [How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
### PowerShell
- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
-- [Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 39eb80e0aa..c934ae7570 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,29 +1,15 @@
---
title: BitLocker recovery guide
description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rafals
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
---
# BitLocker recovery guide
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
@@ -345,17 +331,17 @@ It can also be configured using mobile device management (MDM), including in Int
**`
-
## Version Matrix
-**Client Versions**
+**Client Versions**:
| Name | Build | Baseline Release Date | Security Tools |
-| ---- | ----- | --------------------- | -------------- |
-| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+|--|--|--|--|
+| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
| [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update) | October 2022
December 2021
December 2020
October 2018
October 2016
January 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-
+**Server Versions**:
-**Server Versions**
+| Name | Build | Baseline Release Date | Security Tools |
+|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|---------------------------------------------------------------------|
+| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Name | Build | Baseline Release Date | Security Tools |
-|---|---|---|---|
-|Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) |September 2021 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) |November 2018 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+**Microsoft Products**:
-
+| Name | Details | Security Tools |
+|-------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
+| Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-**Microsoft Products**
-
-
-| Name | Details | Security Tools |
-|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-
-
-
-## See also
+## Related articles
[Windows security baselines](windows-security-baselines.md)
diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/images/powershell-example.png
similarity index 100%
rename from windows/security/threat-protection/images/powershell-example.png
rename to windows/security/operating-system-security/device-management/windows-security-configuration-framework/images/powershell-example.png
diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/images/vbs-example.png
similarity index 100%
rename from windows/security/threat-protection/images/vbs-example.png
rename to windows/security/operating-system-security/device-management/windows-security-configuration-framework/images/vbs-example.png
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
similarity index 87%
rename from windows/security/threat-protection/mbsa-removal-and-guidance.md
rename to windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
index ca5ddc47aa..8faa272dca 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
@@ -1,44 +1,39 @@
---
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
-ms.prod: windows-client
ms.localizationpriority: medium
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
-ms.technology: itpro-security
-ms.date: 03/29/2023
+ms.date: 07/11/2023
ms.topic: article
---
-
+
# What is Microsoft Baseline Security Analyzer and its uses?
-
-Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
-
+
+Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
+
MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
> [!NOTE]
-> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
+> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
## Solution
A script can help you with an alternative to MBSA's patch-compliance checking:
-- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
+- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
-[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
-
+[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
+
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
-## More information
+## More information
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
-- [Windows security baselines](windows-security-baselines.md)
-- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Windows security baselines](windows-security-baselines.md)
+- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
- [Microsoft Security Guidance blog](/archive/blogs/secguide/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
similarity index 54%
rename from windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
rename to windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index bac325bbe0..b145f9c722 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,94 +1,79 @@
---
-title: Microsoft Security Compliance Toolkit 1.0 Guide
-description: This article describes how to use Security Compliance Toolkit 1.0 in your organization
-ms.prod: windows-client
+title: Microsoft Security Compliance Toolkit Guide
+description: This article describes how to use Security Compliance Toolkit in your organization
ms.localizationpriority: medium
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
ms.topic: conceptual
-ms.date: 02/14/2022
-ms.reviewer: rmunck
-ms.technology: itpro-security
+ms.date: 07/11/2023
---
-# Microsoft Security Compliance Toolkit 1.0 - How to use
+# Microsoft Security Compliance Toolkit - How to use
## What is the Security Compliance Toolkit (SCT)?
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
-
The Security Compliance Toolkit consists of:
-- Windows 11 security baseline
- - Windows 11, version 22H2
- - Windows 11, version 21H2
-- Windows 10 security baselines
- - Windows 10, version 22H2
- - Windows 10, version 21H2
- - Windows 10, version 20H2
- - Windows 10, version 1809
- - Windows 10, version 1607
- - Windows 10, version 1507
-
-- Windows Server security baselines
- - Windows Server 2022
- - Windows Server 2019
- - Windows Server 2016
- - Windows Server 2012 R2
-
-- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
-
-- Microsoft Edge security baseline
- - Edge version 107
-
-- Tools
- - Policy Analyzer
- - Local Group Policy Object (LGPO)
- - Set Object Security
- - GPO to Policy Rules
-
+- Windows 11 security baseline
+ - Windows 11, version 22H2
+ - Windows 11, version 21H2
+- Windows 10 security baselines
+ - Windows 10, version 22H2
+ - Windows 10, version 21H2
+ - Windows 10, version 20H2
+ - Windows 10, version 1809
+ - Windows 10, version 1607
+ - Windows 10, version 1507
+- Windows Server security baselines
+ - Windows Server 2022
+ - Windows Server 2019
+ - Windows Server 2016
+ - Windows Server 2012 R2
+- Microsoft Office security baseline
+ - Office 2016
+ - Microsoft 365 Apps for Enterprise Version 2206
+- Microsoft Edge security baseline
+ - Edge version 114
+- Tools
+ - Policy Analyzer
+ - Local Group Policy Object (LGPO)
+ - Set Object Security
+ - GPO to Policy Rules
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
-- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
-- Highlight the differences between versions or sets of Group Policies
-- Compare GPOs against current local policy and local registry settings
-- Export results to a Microsoft Excel spreadsheet
-Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
+- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+- Highlight the differences between versions or sets of Group Policies
+- Compare GPOs against current local policy and local registry settings
+- Export results to a Microsoft Excel spreadsheet
+
+Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
-LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy.
-Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems.
-LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files.
-It can export local policy to a GPO backup.
-It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
+`LGPO.exe` is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. `LGPO.exe` can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Set Object Security tool?
-SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
+`SetObjectSecurity.exe` enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg file compatible representation of the security descriptor for a REG_BINARY registry value.
Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the GPO to Policy Rules tool?
-Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
similarity index 94%
rename from windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
rename to windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
index 238193ef00..63b6cae99b 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
@@ -1,18 +1,12 @@
---
title: Security baselines guide
description: Learn how to use security baselines in your organization.
-ms.prod: windows-client
ms.localizationpriority: medium
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
ms.topic: conceptual
-ms.date: 01/26/2022
-ms.reviewer: jmunck
-ms.technology: itpro-security
+ms.date: 07/11/2023
---
# Security baselines
@@ -41,6 +35,8 @@ For example, there are over 3,000 group policy settings for Windows 10, which do
In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups.
+[!INCLUDE [security-baselines](../../../../../includes/licensing/security-baselines.md)]
+
## Baseline principles
Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially:
@@ -68,12 +64,7 @@ There are several ways to get and use security baselines:
3. MDM security baselines can easily be configured in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
-## Community
-
-[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
-
-
-## See also
+## Related articles
- [Microsoft Security Baselines Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319)
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
new file mode 100644
index 0000000000..7787d87aa3
--- /dev/null
+++ b/windows/security/operating-system-security/index.md
@@ -0,0 +1,16 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.date: 09/21/2021
+ms.topic: article
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
+
+Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
+
+[!INCLUDE [operating-system-security](../includes/sections/operating-system.md)]
diff --git a/windows/security/operating-system-security/network-security/toc.yml b/windows/security/operating-system-security/network-security/toc.yml
new file mode 100644
index 0000000000..f8ef3f19b2
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/toc.yml
@@ -0,0 +1,19 @@
+items:
+ - name: Transport layer security (TLS) 🔗
+ href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
+ - name: Wi-Fi Security
+ href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
+ - name: Extensible Authentication Protocol (EAP) for network access
+ href: /windows-server/networking/technologies/extensible-authentication-protocol/network-access
+ - name: Windows Firewall 🔗
+ href: windows-firewall/windows-firewall-with-advanced-security.md
+ - name: Virtual Private Network (VPN)
+ href: vpn/toc.yml
+ - name: Always On VPN 🔗
+ href: /windows-server/remote/remote-access/vpn/always-on-vpn/
+ - name: Direct Access 🔗
+ href: /windows-server/remote/remote-access/directaccess/directaccess
+ - name: Server Message Block (SMB) file service 🔗
+ href: /windows-server/storage/file-server/file-server-smb-overview
+ - name: Server Message Block Direct (SMB Direct) 🔗
+ href: /windows-server/storage/file-server/smb-direct
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
similarity index 100%
rename from windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
rename to windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
similarity index 100%
rename from windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
rename to windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
diff --git a/windows/security/operating-system-security/network-security/vpn/images/vpn-app-trigger.PNG b/windows/security/operating-system-security/network-security/vpn/images/vpn-app-trigger.PNG
new file mode 100644
index 0000000000..16a6bcbbfc
Binary files /dev/null and b/windows/security/operating-system-security/network-security/vpn/images/vpn-app-trigger.PNG differ
diff --git a/windows/security/operating-system-security/network-security/vpn/images/vpn-connection-intune.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-connection-intune.png
new file mode 100644
index 0000000000..f3ab76439d
Binary files /dev/null and b/windows/security/operating-system-security/network-security/vpn/images/vpn-connection-intune.png differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-connection.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-connection.png
similarity index 100%
rename from windows/security/identity-protection/vpn/images/vpn-connection.png
rename to windows/security/operating-system-security/network-security/vpn/images/vpn-connection.png
diff --git a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-custom-xml-intune.png
similarity index 100%
rename from windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png
rename to windows/security/operating-system-security/network-security/vpn/images/vpn-custom-xml-intune.png
diff --git a/windows/security/identity-protection/vpn/images/vpn-device-compliance.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-device-compliance.png
similarity index 100%
rename from windows/security/identity-protection/vpn/images/vpn-device-compliance.png
rename to windows/security/operating-system-security/network-security/vpn/images/vpn-device-compliance.png
diff --git a/windows/security/operating-system-security/network-security/vpn/images/vpn-eap-xml.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-eap-xml.png
new file mode 100644
index 0000000000..fd277c80a8
Binary files /dev/null and b/windows/security/operating-system-security/network-security/vpn/images/vpn-eap-xml.png differ
diff --git a/windows/security/operating-system-security/network-security/vpn/images/vpn-name-intune.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-name-intune.png
new file mode 100644
index 0000000000..df0922e2b6
Binary files /dev/null and b/windows/security/operating-system-security/network-security/vpn/images/vpn-name-intune.png differ
diff --git a/windows/security/operating-system-security/network-security/vpn/images/vpn-split.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-split.png
new file mode 100644
index 0000000000..882757f1b4
Binary files /dev/null and b/windows/security/operating-system-security/network-security/vpn/images/vpn-split.png differ
diff --git a/windows/security/operating-system-security/network-security/vpn/images/vpn-traffic-rules.png b/windows/security/operating-system-security/network-security/vpn/images/vpn-traffic-rules.png
new file mode 100644
index 0000000000..a1cbcd3226
Binary files /dev/null and b/windows/security/operating-system-security/network-security/vpn/images/vpn-traffic-rules.png differ
diff --git a/windows/security/operating-system-security/network-security/vpn/toc.yml b/windows/security/operating-system-security/network-security/vpn/toc.yml
new file mode 100644
index 0000000000..d160764ee0
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/vpn/toc.yml
@@ -0,0 +1,25 @@
+items:
+ - name: Overview
+ href: vpn-guide.md
+ - name: VPN connection types
+ href: vpn-connection-type.md
+ - name: VPN routing decisions
+ href: vpn-routing.md
+ - name: VPN authentication options
+ href: vpn-authentication.md
+ - name: VPN and conditional access
+ href: vpn-conditional-access.md
+ - name: VPN name resolution
+ href: vpn-name-resolution.md
+ - name: VPN auto-triggered profile options
+ href: vpn-auto-trigger-profile.md
+ - name: VPN security features
+ href: vpn-security-features.md
+ - name: VPN profile options
+ href: vpn-profile-options.md
+ - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+ href: how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+ - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
+ href: how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+ - name: Optimizing Office 365 traffic with the Windows VPN client
+ href: vpn-office-365-optimization.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
similarity index 86%
rename from windows/security/identity-protection/vpn/vpn-authentication.md
rename to windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index c74740f325..5b8c8be320 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
-title: VPN authentication options (Windows 10 and Windows 11)
+title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 09/23/2021
+ms.date: 06/20/2023
ms.topic: conceptual
---
@@ -9,7 +9,7 @@ ms.topic: conceptual
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
-Windows supports a number of EAP authentication methods.
+Windows supports a number of EAP authentication methods.
- EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2):
- User name and password authentication
@@ -43,7 +43,7 @@ Windows supports a number of EAP authentication methods.
- Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
- - [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
+ - [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it's possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
- Tunneled Transport Layer Security (TTLS)
- Inner method
@@ -71,14 +71,14 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
## Configure authentication
-See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
+See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
>[!NOTE]
->To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../hello-for-business/hello-identity-verification.md)
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md).
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
-:::image type="content" source="images/vpn-eap-xml.png" alt-text="EAP XML configuration in Intune profile.":::
+:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
## Related topics
@@ -90,3 +90,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
+- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
new file mode 100644
index 0000000000..9af27f73a3
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -0,0 +1,90 @@
+---
+title: VPN auto-triggered profile options
+description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
+ms.date: 05/24/2023
+ms.topic: conceptual
+---
+
+# VPN auto-triggered profile options
+
+Windows can use different features to auto-trigger VPN, avoiding users to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
+
+- Application trigger
+- Name-based trigger
+- Always On
+
+> [!NOTE]
+> Auto-triggered VPN connections won't work if **Folder Redirection** for **AppData** is enabled. Either Folder Redirection for AppData must be disabled, or the auto-triggered VPN profile must be deployed in SYSTEM context, which changes the path to where the *rasphone.pbk* file is stored.
+
+## Application trigger
+
+VPN profiles can be configured to automatically connect on the execution of certain applications:
+
+- You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection
+- You can configure per-app VPN and specify traffic rules for each app
+
+> [!NOTE]
+> The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
+>
+> [Find a package family name (PFN) for per-app VPN configuration](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+
+For more information, see [Traffic filters](vpn-security-features.md#traffic-filters).
+
+## Name-based trigger
+
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
+Name-based auto-trigger can be configured using the `VPNv2/**Note:** Device Guard can be enabled without using virtualization-based security.|
-|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.
Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
-Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.
Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).
|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
-| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.
Learn more about [Encryption](encryption-data-protection.md).
-| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).
|
-| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.
Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
-| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.
Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).
|
-| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.
Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).
-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).
Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.
Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
-| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.
Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
-| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.
In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.
Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
-| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.
Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
-| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
-| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.
Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
-
diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml
new file mode 100644
index 0000000000..70d9d800b8
--- /dev/null
+++ b/windows/security/security-foundations/certification/toc.yml
@@ -0,0 +1,5 @@
+items:
+- name: FIPS 140-2 Validation
+ href: ../../threat-protection/fips-140-validation.md
+- name: Common Criteria Certifications
+ href: ../../threat-protection/windows-platform-common-criteria.md
\ No newline at end of file
diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations/index.md
similarity index 86%
rename from windows/security/security-foundations.md
rename to windows/security/security-foundations/index.md
index ceed1cb436..bf515f96a9 100644
--- a/windows/security/security-foundations.md
+++ b/windows/security/security-foundations/index.md
@@ -1,18 +1,15 @@
---
title: Windows security foundations
description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.reviewer:
-ms.topic: article
-ms.author: paoloma
+ms.topic: conceptual
+ms.date: 06/15/2023
author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.author: paoloma
---
# Windows security foundations
-Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment.
+Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today's threat environment.
Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
@@ -20,7 +17,7 @@ Use the links in the following table to learn more about the security foundation
| Concept | Description |
|:---|:---|
-| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.
Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
-| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.
Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). |
-| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).|
+| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.
Learn more about [FIPS 140-2 Validation](../threat-protection/fips-140-validation.md). |
+| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.
Learn more about [Common Criteria Certifications](../threat-protection/windows-platform-common-criteria.md). |
+| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
Learn more about [Microsoft SDL](../threat-protection/msft-security-dev-lifecycle.md).|
| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
new file mode 100644
index 0000000000..b842d84e0e
--- /dev/null
+++ b/windows/security/security-foundations/toc.yml
@@ -0,0 +1,7 @@
+items:
+- name: Overview
+ href: index.md
+- name: Microsoft Security Development Lifecycle
+ href: ../threat-protection/msft-security-dev-lifecycle.md
+- name: Certification
+ href: certification/toc.yml
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index b4b43624b2..3648c69063 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -1,14 +1,12 @@
---
-title: Advanced security audit policy settings (Windows 10)
+title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
-ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
@@ -74,7 +72,7 @@ This category includes the following subcategories:
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
-- [Audit Token Right Adjusted](./audit-token-right-adjusted.md)
+- [Audit Token Right Adjusted](audit-token-right-adjusted.md)
## DS Access
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 37031d5f88..b6bf8dec61 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -1,5 +1,5 @@
---
-title: Advanced security audit policies (Windows 10)
+title: Advanced security audit policies
description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
@@ -27,6 +27,6 @@ When you apply basic audit policy settings to the local computer by using the Lo
| Topic | Description |
| - | - |
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
-| [Advanced security auditing FAQ](./advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
\ No newline at end of file
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index eb734ebf54..e27eedd443 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -1,11 +1,11 @@
---
-title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
+title: Appendix A, Security monitoring recommendations for many audit events
description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index 1ab3f3f08e..c613a28ed2 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -1,5 +1,5 @@
---
-title: Apply a basic audit policy on a file or folder (Windows 10)
+title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index f2cf0cc5ec..5f21d6eab6 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -1,5 +1,5 @@
---
-title: Audit Account Lockout (Windows 10)
+title: Audit Account Lockout
description: The policy setting, Audit Account Lockout, enables you to audit security events generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index 36f8f451a0..ad5c87de63 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -1,5 +1,5 @@
---
-title: Audit Application Generated (Windows 10)
+title: Audit Application Generated
description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index cb91f3fa61..9fb1c10453 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -1,5 +1,5 @@
---
-title: Audit Application Group Management (Windows 10)
+title: Audit Application Group Management
description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index 74134a5bd9..be89c50a5a 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -1,5 +1,5 @@
---
-title: Audit Audit Policy Change (Windows 10)
+title: Audit Audit Policy Change
description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 318f08b516..2b14cd5e29 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -1,5 +1,5 @@
---
-title: Audit Authentication Policy Change (Windows 10)
+title: Audit Authentication Policy Change
description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index caa5d33848..b86b2d9b6b 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -1,5 +1,5 @@
---
-title: Audit Authorization Policy Change (Windows 10)
+title: Audit Authorization Policy Change
description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index 62ac5c925c..b330e72006 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -1,5 +1,5 @@
---
-title: Audit Central Access Policy Staging (Windows 10)
+title: Audit Central Access Policy Staging
description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 889edc295b..cb33e2480b 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -1,5 +1,5 @@
---
-title: Audit Certification Services (Windows 10)
+title: Audit Certification Services
description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 63ad7eaac9..78bd0d1701 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -1,5 +1,5 @@
---
-title: Audit Computer Account Management (Windows 10)
+title: Audit Computer Account Management
description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index a5a9dc7158..3d6283d2ab 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -1,5 +1,5 @@
---
-title: Audit Credential Validation (Windows 10)
+title: Audit Credential Validation
description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 7fffbad3df..d909d6ba62 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -1,5 +1,5 @@
---
-title: Audit Detailed Directory Service Replication (Windows 10)
+title: Audit Detailed Directory Service Replication
description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 9ec6b5c148..bb87079a1b 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -1,5 +1,5 @@
---
-title: Audit Detailed File Share (Windows 10)
+title: Audit Detailed File Share
description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index e58853650d..0576b52401 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -1,5 +1,5 @@
---
-title: Audit Directory Service Access (Windows 10)
+title: Audit Directory Service Access
description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed.
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index c9485389e9..d2b294d326 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -1,5 +1,5 @@
---
-title: Audit Directory Service Changes (Windows 10)
+title: Audit Directory Service Changes
description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index 046dd9a1e7..bae794b8c0 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -1,5 +1,5 @@
---
-title: Audit Directory Service Replication (Windows 10)
+title: Audit Directory Service Replication
description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 8eb5bb988c..e254cd23b0 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -1,5 +1,5 @@
---
-title: Audit Distribution Group Management (Windows 10)
+title: Audit Distribution Group Management
description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 79dbf17692..edc400cd02 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -1,5 +1,5 @@
---
-title: Audit DPAPI Activity (Windows 10)
+title: Audit DPAPI Activity
description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls to the data protection application interface (DPAPI) generate audit events.
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 577c138f46..65ea03ef20 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -1,5 +1,5 @@
---
-title: Audit File Share (Windows 10)
+title: Audit File Share
description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 037faaf8f4..18e5b32a55 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -1,5 +1,5 @@
---
-title: Audit File System (Windows 10)
+title: Audit File System
description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 5877ab26f1..2edf237cad 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -1,5 +1,5 @@
---
-title: Audit Filtering Platform Connection (Windows 10)
+title: Audit Filtering Platform Connection
description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index 9003cab47c..a3d70e667a 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -1,5 +1,5 @@
---
-title: Audit Filtering Platform Packet Drop (Windows 10)
+title: Audit Filtering Platform Packet Drop
description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index 1a4cab1153..fe1236b0e6 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -1,5 +1,5 @@
---
-title: Audit Filtering Platform Policy Change (Windows 10)
+title: Audit Filtering Platform Policy Change
description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 9f32d9d336..b5531fb996 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -1,5 +1,5 @@
---
-title: Audit Group Membership (Windows 10)
+title: Audit Group Membership
description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 50470902eb..081f3a3d34 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -1,5 +1,5 @@
---
-title: Audit Handle Manipulation (Windows 10)
+title: Audit Handle Manipulation
description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index cfcefafd36..1719e81ee6 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -1,5 +1,5 @@
---
-title: Audit IPsec Driver (Windows 10)
+title: Audit IPsec Driver
description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 33bfbb485d..0e2168d0f5 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -1,5 +1,5 @@
---
-title: Audit IPsec Extended Mode (Windows 10)
+title: Audit IPsec Extended Mode
description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index 7f1d59e38c..81cfde4d9d 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -1,5 +1,5 @@
---
-title: Audit IPsec Main Mode (Windows 10)
+title: Audit IPsec Main Mode
description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 869e1f4dcf..0ee38a23f7 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -1,5 +1,5 @@
---
-title: Audit IPsec Quick Mode (Windows 10)
+title: Audit IPsec Quick Mode
description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 4ed0bce866..bd54abd7d0 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -1,5 +1,5 @@
---
-title: Audit Kerberos Authentication Service (Windows 10)
+title: Audit Kerberos Authentication Service
description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index ed3c49dfef..f942a116de 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -1,5 +1,5 @@
---
-title: Audit Kerberos Service Ticket Operations (Windows 10)
+title: Audit Kerberos Service Ticket Operations
description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
@@ -29,7 +29,7 @@ This subcategory contains events about issued TGSs and failed TGS requests.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](./appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
+| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
@@ -39,4 +39,4 @@ This subcategory contains events about issued TGSs and failed TGS requests.
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
-- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
\ No newline at end of file
+- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 0dd8928c22..afb2069653 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -1,5 +1,5 @@
---
-title: Audit Kernel Object (Windows 10)
+title: Audit Kernel Object
description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 6a1f7f33ef..8c631d2e0a 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -1,5 +1,5 @@
---
-title: Audit Logoff (Windows 10)
+title: Audit Logoff
description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index 4b78d70722..fcd5e254ef 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -1,5 +1,5 @@
---
-title: Audit Logon (Windows 10)
+title: Audit Logon
description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index 4081cf31a9..a6f72640dc 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -1,5 +1,5 @@
---
-title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
+title: Audit MPSSVC Rule-Level Policy Change
description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 2501fecc08..8c46beb77a 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -1,5 +1,5 @@
---
-title: Audit Network Policy Server (Windows 10)
+title: Audit Network Policy Server
description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index 01b3fb153f..298b8a5061 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -1,5 +1,5 @@
---
-title: Audit Non-Sensitive Privilege Use (Windows 10)
+title: Audit Non-Sensitive Privilege Use
description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 23ee128d63..664c5f6b17 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other Account Logon Events (Windows 10)
+title: Audit Other Account Logon Events
description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index 8f3d985309..68fa5e72ef 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other Account Management Events (Windows 10)
+title: Audit Other Account Management Events
description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index 789ab297be..075d245ab1 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other Logon/Logoff Events (Windows 10)
+title: Audit Other Logon/Logoff Events
description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 5dc0923e42..fc6e2dbd2e 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other Object Access Events (Windows 10)
+title: Audit Other Object Access Events
description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index d088e9f929..8f78be458c 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other Policy Change Events (Windows 10)
+title: Audit Other Policy Change Events
description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index c2487a6b33..d7b89004e2 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other Privilege Use Events (Windows 10)
+title: Audit Other Privilege Use Events
description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 63cfb375b0..9c768d486b 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -1,5 +1,5 @@
---
-title: Audit Other System Events (Windows 10)
+title: Audit Other System Events
description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 224eae5fcb..b0f231d898 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -1,5 +1,5 @@
---
-title: Audit PNP Activity (Windows 10)
+title: Audit PNP Activity
description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 07b283ace9..53eec87d8c 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -1,5 +1,5 @@
---
-title: Audit Process Creation (Windows 10)
+title: Audit Process Creation
description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 03/16/2022
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index b156ba658a..0a9089db1f 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -1,5 +1,5 @@
---
-title: Audit Process Termination (Windows 10)
+title: Audit Process Termination
description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index a4423aeb52..418fda413d 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -1,5 +1,5 @@
---
-title: Audit Registry (Windows 10)
+title: Audit Registry
description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 01/05/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index c9d2586107..faa143e4c6 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -1,5 +1,5 @@
---
-title: Audit Removable Storage (Windows 10)
+title: Audit Removable Storage
description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index bee389855a..1b6a9b69ca 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -1,5 +1,5 @@
---
-title: Audit RPC Events (Windows 10)
+title: Audit RPC Events
description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index c92e7d5ba5..4eb4577d13 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -1,5 +1,5 @@
---
-title: Audit SAM (Windows 10)
+title: Audit SAM
description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 0564c257b6..8fd69b4b8a 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -1,5 +1,5 @@
---
-title: Audit Security Group Management (Windows 10)
+title: Audit Security Group Management
description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
@@ -83,7 +83,7 @@ This subcategory allows you to audit events generated by changes to security gro
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
-- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index 25686b4f33..93830b3271 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -1,5 +1,5 @@
---
-title: Audit Security State Change (Windows 10)
+title: Audit Security State Change
description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 72a72a15aa..ceef6d3134 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -1,5 +1,5 @@
---
-title: Audit Security System Extension (Windows 10)
+title: Audit Security System Extension
description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated.
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index c79520f698..becca46597 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -1,5 +1,5 @@
---
-title: Audit Sensitive Privilege Use (Windows 10)
+title: Audit Sensitive Privilege Use
description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used.
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index e9958ffa2e..12308ff6e3 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -1,5 +1,5 @@
---
-title: Audit Special Logon (Windows 10)
+title: Audit Special Logon
description: The Advanced Security Audit policy setting, Audit Special Logon, determines if audit events are generated under special sign in (or logon) circumstances.
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 4a313d8ae0..8d64f386ff 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -1,5 +1,5 @@
---
-title: Audit System Integrity (Windows 10)
+title: Audit System Integrity
description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index d0969156b5..fd97b2de5e 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -1,5 +1,5 @@
---
-title: Audit Token Right Adjusted (Windows 10)
+title: Audit Token Right Adjusted
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
manager: aaroncz
author: vinaypamnani-msft
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 2faba55a60..a504763fe3 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -1,5 +1,5 @@
---
-title: Audit User Account Management (Windows 10)
+title: Audit User Account Management
description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed.
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index e22930f47a..27e1a7f23d 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -1,5 +1,5 @@
---
-title: Audit User/Device Claims (Windows 10)
+title: Audit User/Device Claims
description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index da74741832..7773933079 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -1,5 +1,5 @@
---
-title: Audit account logon events (Windows 10)
+title: Audit account logon events
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 22824ae059..9a6340c3a8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -1,5 +1,5 @@
---
-title: Audit account management (Windows 10)
+title: Audit account management
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index e9bd4f0117..6da1a9c54e 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -1,5 +1,5 @@
---
-title: Basic audit directory service access (Windows 10)
+title: Basic audit directory service access
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 45ec095169..523fee4769 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -1,5 +1,5 @@
---
-title: Audit logon events (Windows 10)
+title: Audit logon events
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 1b5014823a..c9e7094492 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,5 +1,5 @@
---
-title: Audit object access (Windows 10)
+title: Audit object access
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index e698be1f37..bd7e9a9b7e 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -1,5 +1,5 @@
---
-title: Audit policy change (Windows 10)
+title: Audit policy change
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 4e70e2b0f1..1382bf0fcb 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -1,5 +1,5 @@
---
-title: Audit privilege use (Windows 10)
+title: Audit privilege use
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index e2d32e164d..b7eb7ea1fd 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -1,5 +1,5 @@
---
-title: Audit process tracking (Windows 10)
+title: Audit process tracking
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index e1c1c1a64c..0af90ae965 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -1,5 +1,5 @@
---
-title: Audit system events (Windows 10)
+title: Audit system events
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 5a4bec26db..95d4e51fe0 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,5 +1,5 @@
---
-title: Basic security audit policies (Windows 10)
+title: Basic security audit policies
description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index aa0e4c7ea2..9c9d050b55 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Basic security audit policy settings (Windows 10)
+title: Basic security audit policy settings
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index f27b911fa2..9a49d95bbe 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -1,5 +1,5 @@
---
-title: Create a basic audit policy for an event category (Windows 10)
+title: Create a basic audit policy for an event category
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
ms.reviewer:
@@ -8,7 +8,7 @@ ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index b0606e87da..c243b5aac7 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -1,11 +1,11 @@
---
-title: 1100(S) The event logging service has shut down. (Windows 10)
+title: 1100(S) The event logging service has shut down.
description: Describes security event 1100(S) The event logging service has shut down.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index c319070f2a..f576776df5 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -1,11 +1,11 @@
---
-title: 1102(S) The audit log was cleared. (Windows 10)
+title: 1102(S) The audit log was cleared.
description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 7768b7a43a..bb5e126fa3 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -1,11 +1,11 @@
---
-title: 1104(S) The security log is now full. (Windows 10)
+title: 1104(S) The security log is now full.
description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index 2c10dd205e..52cf7ef880 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -1,11 +1,11 @@
---
-title: 1105(S) Event log automatic backup. (Windows 10)
+title: 1105(S) Event log automatic backup.
description: This event generates every time Windows security log becomes full and new event log file was created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 3412104704..82f001a25b 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -1,11 +1,11 @@
---
-title: The event logging service encountered an error (Windows 10)
+title: The event logging service encountered an error
description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index bbcb45e073..fe0e35c6f0 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -1,11 +1,11 @@
---
-title: 4608(S) Windows is starting up. (Windows 10)
+title: 4608(S) Windows is starting up.
description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index 2307a50732..d30d8aa1fe 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -1,11 +1,11 @@
---
-title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)
+title: 4610(S) An authentication package has been loaded by the Local Security Authority.
description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 54b57cc223..2730d51adc 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -1,11 +1,11 @@
---
-title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)
+title: 4611(S) A trusted logon process has been registered with the Local Security Authority.
description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 111fa80c83..5be5bf7008 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -1,11 +1,11 @@
---
-title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)
+title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index edb915b91d..03a7376a53 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -1,11 +1,11 @@
---
-title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)
+title: 4614(S) A notification package has been loaded by the Security Account Manager.
description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index f74209909e..3032b10d53 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -1,11 +1,11 @@
---
-title: 4615(S) Invalid use of LPC port. (Windows 10)
+title: 4615(S) Invalid use of LPC port.
description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 166b695ebb..62f34dc232 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -1,11 +1,11 @@
---
-title: 4616(S) The system time was changed. (Windows 10)
+title: 4616(S) The system time was changed.
description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index f35815a20c..0871962990 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -1,11 +1,11 @@
---
-title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
+title: 4618(S) A monitored security event pattern has occurred.
description: Describes security event 4618(S) A monitored security event pattern has occurred.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 64e4f81134..3d5e633672 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -1,11 +1,11 @@
---
-title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)
+title: 4621(S) Administrator recovered system from CrashOnAuditFail.
description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 5dc147c077..6fbd529f39 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -1,11 +1,11 @@
---
-title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)
+title: 4622(S) A security package has been loaded by the Local Security Authority.
description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index e081fcb3f0..244371e389 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -1,11 +1,11 @@
---
-title: 4624(S) An account was successfully logged on. (Windows 10)
+title: 4624(S) An account was successfully logged on.
description: Describes security event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 45f8a019b0..702684a0a3 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -1,11 +1,11 @@
---
-title: 4625(F) An account failed to log on. (Windows 10)
+title: 4625(F) An account failed to log on.
description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 01/03/2022
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index addb26abce..fc6a96544c 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -1,11 +1,11 @@
---
-title: 4626(S) User/Device claims information. (Windows 10)
+title: 4626(S) User/Device claims information.
description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 0da1f08aee..739f621949 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -1,11 +1,11 @@
---
-title: 4627(S) Group membership information. (Windows 10)
+title: 4627(S) Group membership information.
description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index 6d8ed22539..0c24208115 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -1,11 +1,11 @@
---
-title: 4634(S) An account was logged off. (Windows 10)
+title: 4634(S) An account was logged off.
description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 64c7e02466..6a346735b9 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -1,11 +1,11 @@
---
-title: 4647(S) User initiated logoff. (Windows 10)
+title: 4647(S) User initiated logoff.
description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 5ffebb9c04..57e38cffb9 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -1,11 +1,11 @@
---
-title: 4648(S) A logon was attempted using explicit credentials. (Windows 10)
+title: 4648(S) A logon was attempted using explicit credentials.
description: Describes security event 4648(S) A logon was attempted using explicit credentials.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 98a1c9ad18..ab9f2ef58e 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -1,11 +1,11 @@
---
-title: 4649(S) A replay attack was detected. (Windows 10)
+title: 4649(S) A replay attack was detected.
description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 7d974fa3fa..d019e5e260 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -1,11 +1,11 @@
---
-title: 4656(S, F) A handle to an object was requested. (Windows 10)
+title: 4656(S, F) A handle to an object was requested.
description: Describes security event 4656(S, F) A handle to an object was requested.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index cb4ecc3ae1..35f1a2be85 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -1,11 +1,11 @@
---
-title: 4657(S) A registry value was modified. (Windows 10)
+title: 4657(S) A registry value was modified.
description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 532558cd00..ed093c51b6 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -1,11 +1,11 @@
---
-title: 4658(S) The handle to an object was closed. (Windows 10)
+title: 4658(S) The handle to an object was closed.
description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index b0124437c6..8613c16cee 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -1,11 +1,11 @@
---
-title: 4660(S) An object was deleted. (Windows 10)
+title: 4660(S) An object was deleted.
description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 6cc68892c8..ffd0495d6f 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -1,11 +1,11 @@
---
-title: 4661(S, F) A handle to an object was requested. (Windows 10)
+title: 4661(S, F) A handle to an object was requested.
description: Describes security event 4661(S, F) A handle to an object was requested.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index cf19827489..03c05ae001 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -1,11 +1,11 @@
---
-title: 4662(S, F) An operation was performed on an object. (Windows 10)
+title: 4662(S, F) An operation was performed on an object.
description: Describes security event 4662(S, F) An operation was performed on an object.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index cf790af491..e6eb49e26e 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -1,11 +1,11 @@
---
-title: 4663(S) An attempt was made to access an object. (Windows 10)
+title: 4663(S) An attempt was made to access an object.
description: Describes security event 4663(S) An attempt was made to access an object.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 0a27e27f7d..80106ccf42 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -1,11 +1,11 @@
---
-title: 4664(S) An attempt was made to create a hard link. (Windows 10)
+title: 4664(S) An attempt was made to create a hard link.
description: Describes security event 4664(S) An attempt was made to create a hard link.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index f20653ded7..a2d1d9f284 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -1,11 +1,11 @@
---
-title: 4670(S) Permissions on an object were changed. (Windows 10)
+title: 4670(S) Permissions on an object were changed.
description: Describes security event 4670(S) Permissions on an object were changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index 3215da12d8..3c078e977d 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -1,11 +1,11 @@
---
-title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10)
+title: 4671(-) An application attempted to access a blocked ordinal through the TBS.
description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 3b61e352a2..32e6c9eb6a 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -1,11 +1,11 @@
---
-title: 4672(S) Special privileges assigned to new logon. (Windows 10)
+title: 4672(S) Special privileges assigned to new logon.
description: Describes security event 4672(S) Special privileges assigned to new logon.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index e63486e9fa..7dc7f54208 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -1,11 +1,11 @@
---
-title: 4673(S, F) A privileged service was called. (Windows 10)
+title: 4673(S, F) A privileged service was called.
description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 11f8c3fb62..80a9614ae6 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -1,11 +1,11 @@
---
-title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10)
+title: 4674(S, F) An operation was attempted on a privileged object.
description: Describes security event 4674(S, F) An operation was attempted on a privileged object.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 6daf08eef3..cdd97e8a9e 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -1,11 +1,11 @@
---
-title: 4675(S) SIDs were filtered. (Windows 10)
+title: 4675(S) SIDs were filtered.
description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 5742fbd554..d56ba5367b 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -1,11 +1,11 @@
---
-title: 4688(S) A new process has been created. (Windows 10)
+title: 4688(S) A new process has been created.
description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 01/24/2022
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index f2014c9a1e..c23269a82a 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -1,11 +1,11 @@
---
-title: 4689(S) A process has exited. (Windows 10)
+title: 4689(S) A process has exited.
description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index e0b54b2afe..b1247baf18 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -1,11 +1,11 @@
---
-title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
+title: 4690(S) An attempt was made to duplicate a handle to an object.
description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index 9f88bf0d9b..abc7e7224a 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -1,11 +1,11 @@
---
-title: 4691(S) Indirect access to an object was requested. (Windows 10)
+title: 4691(S) Indirect access to an object was requested.
description: Describes security event 4691(S) Indirect access to an object was requested.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index fb56e8e4c9..fd2df12df7 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -1,11 +1,11 @@
---
-title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10)
+title: 4692(S, F) Backup of data protection master key was attempted.
description: Describes security event 4692(S, F) Backup of data protection master key was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index bd99d76424..e8fd42218d 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -1,11 +1,11 @@
---
-title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10)
+title: 4693(S, F) Recovery of data protection master key was attempted.
description: Describes security event 4693(S, F) Recovery of data protection master key was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index f66fb36e4d..18eed045ab 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -1,11 +1,11 @@
---
-title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10)
+title: 4694(S, F) Protection of auditable protected data was attempted.
description: Describes security event 4694(S, F) Protection of auditable protected data was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 68c0ac644a..7093744387 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -1,11 +1,11 @@
---
-title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10)
+title: 4695(S, F) Unprotection of auditable protected data was attempted.
description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index fc3d8432ee..38800c2bd2 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -1,11 +1,11 @@
---
-title: 4696(S) A primary token was assigned to process. (Windows 10)
+title: 4696(S) A primary token was assigned to process.
description: Describes security event 4696(S) A primary token was assigned to process.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 5d1072f99b..3775a7bda7 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -1,11 +1,11 @@
---
-title: 4697(S) A service was installed in the system. (Windows 10)
+title: 4697(S) A service was installed in the system.
description: Describes security event 4697(S) A service was installed in the system.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index cfbe0e3f96..2609217fd3 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -1,11 +1,11 @@
---
-title: 4698(S) A scheduled task was created. (Windows 10)
+title: 4698(S) A scheduled task was created.
description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 56935a1da0..87a10ab8bf 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -1,11 +1,11 @@
---
-title: 4699(S) A scheduled task was deleted. (Windows 10)
+title: 4699(S) A scheduled task was deleted.
description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index 3c45c92cf4..0f8d3494fe 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -1,11 +1,11 @@
---
-title: 4700(S) A scheduled task was enabled. (Windows 10)
+title: 4700(S) A scheduled task was enabled.
description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index 0a9639837b..ecd015fbae 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -1,11 +1,11 @@
---
-title: 4701(S) A scheduled task was disabled. (Windows 10)
+title: 4701(S) A scheduled task was disabled.
description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 96c7f0b93b..68dfec7592 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -1,11 +1,11 @@
---
-title: 4702(S) A scheduled task was updated. (Windows 10)
+title: 4702(S) A scheduled task was updated.
description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index f10d935aa1..effc1b4ddc 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -1,11 +1,11 @@
---
-title: 4703(S) A user right was adjusted. (Windows 10)
+title: 4703(S) A user right was adjusted.
description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index 4b0b4ef478..94bcdf96eb 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -1,11 +1,11 @@
---
-title: 4704(S) A user right was assigned. (Windows 10)
+title: 4704(S) A user right was assigned.
description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index c66295ce0d..1030f0b6b6 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -1,11 +1,11 @@
---
-title: 4705(S) A user right was removed. (Windows 10)
+title: 4705(S) A user right was removed.
description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index 01ce8db4cd..7fdea8fb2c 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -1,11 +1,11 @@
---
-title: 4706(S) A new trust was created to a domain. (Windows 10)
+title: 4706(S) A new trust was created to a domain.
description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index a47a9ea3ea..e2a779b376 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -1,11 +1,11 @@
---
-title: 4707(S) A trust to a domain was removed. (Windows 10)
+title: 4707(S) A trust to a domain was removed.
description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index 218134046e..49ad5eeca7 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -1,11 +1,11 @@
---
-title: 4713(S) Kerberos policy was changed. (Windows 10)
+title: 4713(S) Kerberos policy was changed.
description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index fc40a49c6e..495cda1557 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -1,11 +1,11 @@
---
-title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
+title: 4714(S) Encrypted data recovery policy was changed.
description: Describes security event 4714(S) Encrypted data recovery policy was changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index f128397767..6a09b30ae2 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -1,11 +1,11 @@
---
-title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10)
+title: 4715(S) The audit policy (SACL) on an object was changed.
description: Describes security event 4715(S) The audit policy (SACL) on an object was changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 3d1ec5f975..12eafb94f3 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -1,11 +1,11 @@
---
-title: 4716(S) Trusted domain information was modified. (Windows 10)
+title: 4716(S) Trusted domain information was modified.
description: Describes security event 4716(S) Trusted domain information was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index 8a1f14e022..b02eef2f90 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -1,11 +1,11 @@
---
-title: 4717(S) System security access was granted to an account. (Windows 10)
+title: 4717(S) System security access was granted to an account.
description: Describes security event 4717(S) System security access was granted to an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index e8ec6b8039..14707ab644 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -1,11 +1,11 @@
---
-title: 4718(S) System security access was removed from an account. (Windows 10)
+title: 4718(S) System security access was removed from an account.
description: Describes security event 4718(S) System security access was removed from an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index dae615acf4..4cf66c7350 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -1,11 +1,11 @@
---
-title: 4719(S) System audit policy was changed. (Windows 10)
+title: 4719(S) System audit policy was changed.
description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index b53966664d..726f71bbbd 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -1,11 +1,11 @@
---
-title: 4720(S) A user account was created. (Windows 10)
+title: 4720(S) A user account was created.
description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 4388873aa0..add2d048cc 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -1,11 +1,11 @@
---
-title: 4722(S) A user account was enabled. (Windows 10)
+title: 4722(S) A user account was enabled.
description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index 8b8b7975a1..7aad069614 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -1,11 +1,11 @@
---
-title: 4723(S, F) An attempt was made to change an account's password. (Windows 10)
+title: 4723(S, F) An attempt was made to change an account's password.
description: Describes security event 4723(S, F) An attempt was made to change an account's password.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index 00c98b63e4..456ec46743 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -1,11 +1,11 @@
---
-title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10)
+title: 4724(S, F) An attempt was made to reset an account's password.
description: Describes security event 4724(S, F) An attempt was made to reset an account's password.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index ad5b546a6d..55cad0f2a1 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -1,11 +1,11 @@
---
-title: 4725(S) A user account was disabled. (Windows 10)
+title: 4725(S) A user account was disabled.
description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index 7df0779c4a..a947159c47 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -1,11 +1,11 @@
---
-title: 4726(S) A user account was deleted. (Windows 10)
+title: 4726(S) A user account was deleted.
description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index ca1c673af4..2c65171ef1 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -1,11 +1,11 @@
---
-title: 4731(S) A security-enabled local group was created. (Windows 10)
+title: 4731(S) A security-enabled local group was created.
description: Describes security event 4731(S) A security-enabled local group was created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 8afb300906..00d16da21d 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -1,11 +1,11 @@
---
-title: 4732(S) A member was added to a security-enabled local group. (Windows 10)
+title: 4732(S) A member was added to a security-enabled local group.
description: Describes security event 4732(S) A member was added to a security-enabled local group.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index 3a24b2ef0f..926066fb81 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -1,11 +1,11 @@
---
-title: 4733(S) A member was removed from a security-enabled local group. (Windows 10)
+title: 4733(S) A member was removed from a security-enabled local group.
description: Describes security event 4733(S) A member was removed from a security-enabled local group.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index ac2c5d7b93..c2af62b2bc 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -1,11 +1,11 @@
---
-title: 4734(S) A security-enabled local group was deleted. (Windows 10)
+title: 4734(S) A security-enabled local group was deleted.
description: Describes security event 4734(S) A security-enabled local group was deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 4842263179..a08fb0391f 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -1,11 +1,11 @@
---
-title: 4735(S) A security-enabled local group was changed. (Windows 10)
+title: 4735(S) A security-enabled local group was changed.
description: Describes security event 4735(S) A security-enabled local group was changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 63352ed67e..61cd4e80e6 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -1,11 +1,11 @@
---
-title: 4738(S) A user account was changed. (Windows 10)
+title: 4738(S) A user account was changed.
description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index d43bdb27e2..8b6090da8d 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -1,11 +1,11 @@
---
-title: 4739(S) Domain Policy was changed. (Windows 10)
+title: 4739(S) Domain Policy was changed.
description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 46c0cdcb9d..9fae037e5f 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -1,11 +1,11 @@
---
-title: 4740(S) A user account was locked out. (Windows 10)
+title: 4740(S) A user account was locked out.
description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 5245280f11..a245d7e5ce 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -1,11 +1,11 @@
---
-title: 4741(S) A computer account was created. (Windows 10)
+title: 4741(S) A computer account was created.
description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 3f5f9c2eb6..6d58542822 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -1,11 +1,11 @@
---
-title: 4742(S) A computer account was changed. (Windows 10)
+title: 4742(S) A computer account was changed.
description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 50411689a9..4f3da1ff73 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -1,11 +1,11 @@
---
-title: 4743(S) A computer account was deleted. (Windows 10)
+title: 4743(S) A computer account was deleted.
description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index 8293c95b2b..94f70a7eae 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -1,11 +1,11 @@
---
-title: 4749(S) A security-disabled global group was created. (Windows 10)
+title: 4749(S) A security-disabled global group was created.
description: Describes security event 4749(S) A security-disabled global group was created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index d106e10077..98025cf33c 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -1,11 +1,11 @@
---
-title: 4750(S) A security-disabled global group was changed. (Windows 10)
+title: 4750(S) A security-disabled global group was changed.
description: Describes security event 4750(S) A security-disabled global group was changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index e3bdca780e..d28e5a4ace 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -1,11 +1,11 @@
---
-title: 4751(S) A member was added to a security-disabled global group. (Windows 10)
+title: 4751(S) A member was added to a security-disabled global group.
description: Describes security event 4751(S) A member was added to a security-disabled global group.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index f6b4fc37dd..937c2d5d78 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -1,11 +1,11 @@
---
-title: 4752(S) A member was removed from a security-disabled global group. (Windows 10)
+title: 4752(S) A member was removed from a security-disabled global group.
description: Describes security event 4752(S) A member was removed from a security-disabled global group.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 6bdf28a86b..e03d2dad24 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -1,11 +1,11 @@
---
-title: 4753(S) A security-disabled global group was deleted. (Windows 10)
+title: 4753(S) A security-disabled global group was deleted.
description: Describes security event 4753(S) A security-disabled global group was deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index f959fc103a..28615743d5 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -1,11 +1,11 @@
---
-title: 4764(S) A group's type was changed. (Windows 10)
+title: 4764(S) A group's type was changed.
description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index 5789319e57..b7e4d12932 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -1,11 +1,11 @@
---
-title: 4765(S) SID History was added to an account. (Windows 10)
+title: 4765(S) SID History was added to an account.
description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 4d0ec7ae25..6ec2b6bbf3 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -1,11 +1,11 @@
---
-title: 4766(F) An attempt to add SID History to an account failed. (Windows 10)
+title: 4766(F) An attempt to add SID History to an account failed.
description: Describes security event 4766(F) An attempt to add SID History to an account failed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index 9dbf921ebf..e18080c9e3 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -1,11 +1,11 @@
---
-title: 4767(S) A user account was unlocked. (Windows 10)
+title: 4767(S) A user account was unlocked.
description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 825ba47534..9af99fe83b 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -1,11 +1,11 @@
---
-title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10)
+title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 10/20/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index ea8fbab15b..2605d404c9 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -1,11 +1,11 @@
---
-title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10)
+title: 4769(S, F) A Kerberos service ticket was requested.
description: Describes security event 4769(S, F) A Kerberos service ticket was requested.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
@@ -261,7 +261,7 @@ The table below contains the list of the most common error codes for this event:
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service doesn't possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. |
-- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used.
+- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if constrained Kerberos delegation was used.
> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index 2027d8504f..e0206db3db 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -1,11 +1,11 @@
---
-title: 4770(S) A Kerberos service ticket was renewed. (Windows 10)
+title: 4770(S) A Kerberos service ticket was renewed.
description: Describes security event 4770(S) A Kerberos service ticket was renewed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 2cefaaced0..bad7f21c77 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -1,11 +1,11 @@
---
-title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
+title: 4771(F) Kerberos pre-authentication failed.
description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 3c378ccc0b..1bb81355f0 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -1,11 +1,11 @@
---
-title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10)
+title: 4772(F) A Kerberos authentication ticket request failed.
description: Describes security event 4772(F) A Kerberos authentication ticket request failed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index 30c32b9f8d..a966cf2abd 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -1,11 +1,11 @@
---
-title: 4773(F) A Kerberos service ticket request failed. (Windows 10)
+title: 4773(F) A Kerberos service ticket request failed.
description: Describes security event 4773(F) A Kerberos service ticket request failed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 2f9b37c352..5c9253d51a 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -1,11 +1,11 @@
---
-title: 4774(S, F) An account was mapped for logon. (Windows 10)
+title: 4774(S, F) An account was mapped for logon.
description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index 8281bb27e5..35264e2c50 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -1,11 +1,11 @@
---
-title: 4775(F) An account could not be mapped for logon. (Windows 10)
+title: 4775(F) An account could not be mapped for logon.
description: Describes security event 4775(F) An account could not be mapped for logon.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index ad57e347c4..736a967ea4 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -1,11 +1,11 @@
---
-title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10)
+title: 4776(S, F) The computer attempted to validate the credentials for an account.
description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/13/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index e534dbee25..f14f4b4a58 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -1,11 +1,11 @@
---
-title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10)
+title: 4777(F) The domain controller failed to validate the credentials for an account.
description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 76aac3738e..d9a5bd2d94 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -1,11 +1,11 @@
---
-title: 4778(S) A session was reconnected to a Window Station. (Windows 10)
+title: 4778(S) A session was reconnected to a Window Station.
description: Describes security event 4778(S) A session was reconnected to a Window Station.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 7f6568c1cb..3ab94db6fb 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -1,11 +1,11 @@
---
-title: 4779(S) A session was disconnected from a Window Station. (Windows 10)
+title: 4779(S) A session was disconnected from a Window Station.
description: Describes security event 4779(S) A session was disconnected from a Window Station.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 5195929a0e..8bc11f4997 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -1,11 +1,11 @@
---
-title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10)
+title: 4780(S) The ACL was set on accounts which are members of administrators groups.
description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index fc2aaffc53..3918ee0ef1 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -1,11 +1,11 @@
---
-title: 4781(S) The name of an account was changed. (Windows 10)
+title: 4781(S) The name of an account was changed.
description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index a0615135c6..83020ee642 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -1,11 +1,11 @@
---
-title: 4782(S) The password hash of an account was accessed. (Windows 10)
+title: 4782(S) The password hash of an account was accessed.
description: Describes security event 4782(S) The password hash of an account was accessed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index cc197ccb60..4774459a71 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -1,11 +1,11 @@
---
-title: 4793(S) The Password Policy Checking API was called. (Windows 10)
+title: 4793(S) The Password Policy Checking API was called.
description: Describes security event 4793(S) The Password Policy Checking API was called.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 6bcb12e02c..ed8e9aebdc 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -1,11 +1,11 @@
---
-title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10)
+title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index 696366f22d..8c5e7d3c50 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -1,11 +1,11 @@
---
-title: 4798(S) A user's local group membership was enumerated. (Windows 10)
+title: 4798(S) A user's local group membership was enumerated.
description: Describes security event 4798(S) A user's local group membership was enumerated.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index 1cf362be1d..a089e448f4 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -1,11 +1,11 @@
---
-title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
+title: 4799(S) A security-enabled local group membership was enumerated.
description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 89c94ade64..fcacf65cb0 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -1,11 +1,11 @@
---
-title: 4800(S) The workstation was locked. (Windows 10)
+title: 4800(S) The workstation was locked.
description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index 906e46fcd3..94d9dee683 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -1,11 +1,11 @@
---
-title: 4801(S) The workstation was unlocked. (Windows 10)
+title: 4801(S) The workstation was unlocked.
description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 1b423f29ee..82492616cc 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -1,11 +1,11 @@
---
-title: 4802(S) The screen saver was invoked. (Windows 10)
+title: 4802(S) The screen saver was invoked.
description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index 247e3c704d..497a3a8d07 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -1,11 +1,11 @@
---
-title: 4803(S) The screen saver was dismissed. (Windows 10)
+title: 4803(S) The screen saver was dismissed.
description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 8636e1abef..be77d5a97c 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -1,11 +1,11 @@
---
-title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
+title: 4816(S) RPC detected an integrity violation while decrypting an incoming message.
description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index ff20520062..e166782510 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -1,11 +1,11 @@
---
-title: 4817(S) Auditing settings on object were changed. (Windows 10)
+title: 4817(S) Auditing settings on object were changed.
description: Describes security event 4817(S) Auditing settings on object were changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index c884c2e7a8..127a71406e 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -1,11 +1,11 @@
---
-title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10)
+title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index e8bca4427e..0e479a57b1 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -1,11 +1,11 @@
---
-title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10)
+title: 4819(S) Central Access Policies on the machine have been changed.
description: Describes security event 4819(S) Central Access Policies on the machine have been changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 001e6c6026..2e79af5e64 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -1,11 +1,11 @@
---
-title: 4826(S) Boot Configuration Data loaded. (Windows 10)
+title: 4826(S) Boot Configuration Data loaded.
description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index a26b552f4a..cbed773c60 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -1,11 +1,11 @@
---
-title: 4864(S) A namespace collision was detected. (Windows 10)
+title: 4864(S) A namespace collision was detected.
description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index aa44c9bb6a..8b792069f3 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -1,11 +1,11 @@
---
-title: 4865(S) A trusted forest information entry was added. (Windows 10)
+title: 4865(S) A trusted forest information entry was added.
description: Describes security event 4865(S) A trusted forest information entry was added.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index 1fcc07f446..2ec48bdf4f 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -1,11 +1,11 @@
---
-title: 4866(S) A trusted forest information entry was removed. (Windows 10)
+title: 4866(S) A trusted forest information entry was removed.
description: Describes security event 4866(S) A trusted forest information entry was removed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index ce30699bfa..b4affb0ff4 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -1,11 +1,11 @@
---
-title: 4867(S) A trusted forest information entry was modified. (Windows 10)
+title: 4867(S) A trusted forest information entry was modified.
description: Describes security event 4867(S) A trusted forest information entry was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index 7185b9f3da..a53fd03d58 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -1,11 +1,11 @@
---
-title: 4902(S) The Per-user audit policy table was created. (Windows 10)
+title: 4902(S) The Per-user audit policy table was created.
description: Describes security event 4902(S) The Per-user audit policy table was created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index 90858c5844..1f7335e6da 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -1,11 +1,11 @@
---
-title: 4904(S) An attempt was made to register a security event source. (Windows 10)
+title: 4904(S) An attempt was made to register a security event source.
description: Describes security event 4904(S) An attempt was made to register a security event source.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index 14eb6cfa8b..c710230070 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -1,11 +1,11 @@
---
-title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
+title: 4905(S) An attempt was made to unregister a security event source.
description: Describes security event 4905(S) An attempt was made to unregister a security event source.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 2058342aa0..2cdc197a9b 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -1,11 +1,11 @@
---
-title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
+title: 4906(S) The CrashOnAuditFail value has changed.
description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index c38b66d51b..91ed3cfa75 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -1,11 +1,11 @@
---
-title: 4907(S) Auditing settings on object were changed. (Windows 10)
+title: 4907(S) Auditing settings on object were changed.
description: Describes security event 4907(S) Auditing settings on object were changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 3314e94436..58d9d7331a 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -1,11 +1,11 @@
---
-title: 4908(S) Special Groups Logon table modified. (Windows 10)
+title: 4908(S) Special Groups Logon table modified.
description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 8a8631489a..6420bf04c1 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -1,11 +1,11 @@
---
-title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
+title: 4909(-) The local policy settings for the TBS were changed.
description: Describes security event 4909(-) The local policy settings for the TBS were changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 15276f29ce..a541352ac0 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -1,11 +1,11 @@
---
-title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
+title: 4910(-) The group policy settings for the TBS were changed.
description: Describes security event 4910(-) The group policy settings for the TBS were changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index abc112dbb4..c31636a2f6 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -1,11 +1,11 @@
---
-title: 4911(S) Resource attributes of the object were changed. (Windows 10)
+title: 4911(S) Resource attributes of the object were changed.
description: Describes security event 4911(S) Resource attributes of the object were changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 0c0e66f90e..152e9607f3 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -1,11 +1,11 @@
---
-title: 4912(S) Per User Audit Policy was changed. (Windows 10)
+title: 4912(S) Per User Audit Policy was changed.
description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index e15a691617..5da5f88ef9 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -1,11 +1,11 @@
---
-title: 4913(S) Central Access Policy on the object was changed. (Windows 10)
+title: 4913(S) Central Access Policy on the object was changed.
description: Describes security event 4913(S) Central Access Policy on the object was changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 902113bb5c..371f4689c7 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -1,11 +1,11 @@
---
-title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10)
+title: 4928(S, F) An Active Directory replica source naming context was established.
description: Describes security event 4928(S, F) An Active Directory replica source naming context was established.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index 3fd978d0e3..288d0528f8 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -1,11 +1,11 @@
---
-title: 4929(S, F) An Active Directory replica source naming context was removed. (Windows 10)
+title: 4929(S, F) An Active Directory replica source naming context was removed.
description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index 1b7bee26bf..ca6a21d07a 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -1,11 +1,11 @@
---
-title: 4930(S, F) An Active Directory replica source naming context was modified. (Windows 10)
+title: 4930(S, F) An Active Directory replica source naming context was modified.
description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index 75acecb89f..0f1f2d11af 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -1,11 +1,11 @@
---
-title: 4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10)
+title: 4931(S, F) An Active Directory replica destination naming context was modified.
description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 4cdd6b7bdd..574e020321 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -1,11 +1,11 @@
---
-title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10)
+title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun.
description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index b1636e8e63..54e6d63dd5 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -1,11 +1,11 @@
---
-title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10)
+title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended.
description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index efafcb9b79..363e2dea0f 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -1,11 +1,11 @@
---
-title: 4934(S) Attributes of an Active Directory object were replicated. (Windows 10)
+title: 4934(S) Attributes of an Active Directory object were replicated.
description: Describes security event 4934(S) Attributes of an Active Directory object were replicated.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index a126742afb..04b067063a 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -1,11 +1,11 @@
---
-title: 4935(F) Replication failure begins. (Windows 10)
+title: 4935(F) Replication failure begins.
description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index e2818ec6ee..04fb5a689c 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -1,11 +1,11 @@
---
-title: 4936(S) Replication failure ends. (Windows 10)
+title: 4936(S) Replication failure ends.
description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 8296ce75c4..ad871628bd 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -1,11 +1,11 @@
---
-title: 4937(S) A lingering object was removed from a replica. (Windows 10)
+title: 4937(S) A lingering object was removed from a replica.
description: Describes security event 4937(S) A lingering object was removed from a replica.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index bb08c3a077..d93811a130 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -1,11 +1,11 @@
---
-title: 4944(S) The following policy was active when the Windows Firewall started. (Windows 10)
+title: 4944(S) The following policy was active when the Windows Firewall started.
description: Describes security event 4944(S) The following policy was active when the Windows Firewall started.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index 852ed5f03e..8099cfeca6 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -1,11 +1,11 @@
---
-title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10)
+title: 4945(S) A rule was listed when the Windows Firewall started.
description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index ab355b85c1..077de83d96 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -1,11 +1,11 @@
---
-title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)
+title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index 284d2d4303..7647e63929 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -1,11 +1,11 @@
---
-title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10)
+title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index da8f423b29..9000f97907 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -1,11 +1,11 @@
---
-title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10)
+title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index 528ad262bb..188a147179 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -1,11 +1,11 @@
---
-title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10)
+title: 4949(S) Windows Firewall settings were restored to the default values.
description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index 8a3aa4274a..4b7c3ef8da 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -1,11 +1,11 @@
---
-title: 4950(S) A Windows Firewall setting has changed. (Windows 10)
+title: 4950(S) A Windows Firewall setting has changed.
description: Describes security event 4950(S) A Windows Firewall setting has changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index 7addb69d77..3922a0d9bc 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -1,11 +1,11 @@
---
-title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. (Windows 10)
+title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
description: Describes security event 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index 1dd166db54..1b2c9a1677 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -1,11 +1,11 @@
---
-title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
+title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 5a5a97d56a..dcb48de16e 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -1,11 +1,11 @@
---
-title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. (Windows 10)
+title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed.
description: Describes security event 4953(F) Windows Firewall ignored a rule because it couldn't be parsed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 07977d6aff..42e1732841 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -1,11 +1,11 @@
---
-title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10)
+title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 105b780984..ab54b58db2 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -1,11 +1,11 @@
---
-title: 4956(S) Windows Firewall has changed the active profile. (Windows 10)
+title: 4956(S) Windows Firewall has changed the active profile.
description: Describes security event 4956(S) Windows Firewall has changed the active profile.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 49fae3fef5..0049947eee 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -1,11 +1,11 @@
---
-title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10)
+title: 4957(F) Windows Firewall did not apply the following rule.
description: Describes security event 4957(F) Windows Firewall didn't apply the following rule.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index 45964176a6..f1cbaa0f1d 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -1,11 +1,11 @@
---
-title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10)
+title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 51893d2572..5567fdf5b4 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -1,11 +1,11 @@
---
-title: 4964(S) Special groups have been assigned to a new logon. (Windows 10)
+title: 4964(S) Special groups have been assigned to a new logon.
description: Describes security event 4964(S) Special groups have been assigned to a new logon.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index 8150e62b11..4caca31a8e 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -1,11 +1,11 @@
---
-title: 4985(S) The state of a transaction has changed. (Windows 10)
+title: 4985(S) The state of a transaction has changed.
description: Describes security event 4985(S) The state of a transaction has changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index 9e06608869..ff2c44088f 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -1,11 +1,11 @@
---
-title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10)
+title: 5024(S) The Windows Firewall Service has started successfully.
description: Describes security event 5024(S) The Windows Firewall Service has started successfully.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index 9ae2fe14d0..334431f02f 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -1,11 +1,11 @@
---
-title: 5025(S) The Windows Firewall Service has been stopped. (Windows 10)
+title: 5025(S) The Windows Firewall Service has been stopped.
description: Describes security event 5025(S) The Windows Firewall Service has been stopped.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index d654b82a01..1633648148 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -1,11 +1,11 @@
---
-title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10)
+title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index bf9c62d91a..c83b0a955a 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -1,11 +1,11 @@
---
-title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10)
+title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index 4a36c10d4d..4050293075 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -1,11 +1,11 @@
---
-title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10)
+title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index aa78cb3b62..19faefd2f3 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -1,11 +1,11 @@
---
-title: 5030(F) The Windows Firewall Service failed to start. (Windows 10)
+title: 5030(F) The Windows Firewall Service failed to start.
description: Describes security event 5030(F) The Windows Firewall Service failed to start.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index 04c03b1ee6..1187494a86 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -1,5 +1,5 @@
---
-title: 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. (Windows 10)
+title: 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index af43e8ea73..369d590db9 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -1,11 +1,11 @@
---
-title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10)
+title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 467ba04e40..bd275a6463 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -1,11 +1,11 @@
---
-title: 5033(S) The Windows Firewall Driver has started successfully. (Windows 10)
+title: 5033(S) The Windows Firewall Driver has started successfully.
description: Describes security event 5033(S) The Windows Firewall Driver has started successfully.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index dc2d097c4a..bd017daa1f 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -1,11 +1,11 @@
---
-title: 5034(S) The Windows Firewall Driver was stopped. (Windows 10)
+title: 5034(S) The Windows Firewall Driver was stopped.
description: Describes security event 5034(S) The Windows Firewall Driver was stopped.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 88a49892a6..cda5f7ddc7 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -1,11 +1,11 @@
---
-title: 5035(F) The Windows Firewall Driver failed to start. (Windows 10)
+title: 5035(F) The Windows Firewall Driver failed to start.
description: Describes security event 5035(F) The Windows Firewall Driver failed to start.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index f25a054fe7..6421be47c1 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -1,11 +1,11 @@
---
-title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10)
+title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating.
description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index e824e93afe..865a9e7de3 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -1,11 +1,11 @@
---
-title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10)
+title: 5038(F) Code integrity determined that the image hash of a file is not valid.
description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index 7bf2bf5471..3d9ba6fd9a 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -1,11 +1,11 @@
---
-title: 5039(-) A registry key was virtualized. (Windows 10)
+title: 5039(-) A registry key was virtualized.
description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 38a07353b3..706e02d603 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -1,11 +1,11 @@
---
-title: 5051(-) A file was virtualized. (Windows 10)
+title: 5051(-) A file was virtualized.
description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index 3711acef2d..d67c948bf7 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -1,11 +1,11 @@
---
-title: 5056(S) A cryptographic self-test was performed. (Windows 10)
+title: 5056(S) A cryptographic self-test was performed.
description: Describes security event 5056(S) A cryptographic self-test was performed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index 4fc7113c1b..9c4c3bbbc7 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -1,11 +1,11 @@
---
-title: 5057(F) A cryptographic primitive operation failed. (Windows 10)
+title: 5057(F) A cryptographic primitive operation failed.
description: Describes security event 5057(F) A cryptographic primitive operation failed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index b95c545e7c..b8f43fd22c 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -1,11 +1,11 @@
---
-title: 5058(S, F) Key file operation. (Windows 10)
+title: 5058(S, F) Key file operation.
description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index cdbae47721..80656eb84c 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -1,11 +1,11 @@
---
-title: 5059(S, F) Key migration operation. (Windows 10)
+title: 5059(S, F) Key migration operation.
description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 60ec2cbd3e..95c791073a 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -1,11 +1,11 @@
---
-title: 5060(F) Verification operation failed. (Windows 10)
+title: 5060(F) Verification operation failed.
description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 802ee6cc60..37ce0fe43d 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -1,11 +1,11 @@
---
-title: 5061(S, F) Cryptographic operation. (Windows 10)
+title: 5061(S, F) Cryptographic operation.
description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index a76dabb95e..8273fa0b06 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -1,11 +1,11 @@
---
-title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10)
+title: 5062(S) A kernel-mode cryptographic self-test was performed.
description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index 41ac047786..111a1bebce 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -1,11 +1,11 @@
---
-title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10)
+title: 5063(S, F) A cryptographic provider operation was attempted.
description: Describes security event 5063(S, F) A cryptographic provider operation was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 3467a2816a..3414385e9f 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -1,11 +1,11 @@
---
-title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10)
+title: 5064(S, F) A cryptographic context operation was attempted.
description: Describes security event 5064(S, F) A cryptographic context operation was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 66bfddb1d1..2543372fd8 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -1,11 +1,11 @@
---
-title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10)
+title: 5065(S, F) A cryptographic context modification was attempted.
description: Describes security event 5065(S, F) A cryptographic context modification was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index 62a0920fb7..6385f0488a 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -1,11 +1,11 @@
---
-title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10)
+title: 5066(S, F) A cryptographic function operation was attempted.
description: Describes security event 5066(S, F) A cryptographic function operation was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 78cd9d24aa..16a2775d06 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -1,11 +1,11 @@
---
-title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10)
+title: 5067(S, F) A cryptographic function modification was attempted.
description: Describes security event 5067(S, F) A cryptographic function modification was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 791301bc3b..49659e38f5 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -1,11 +1,11 @@
---
-title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10)
+title: 5068(S, F) A cryptographic function provider operation was attempted.
description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 9894285dad..ffcfb92ca9 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -1,11 +1,11 @@
---
-title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10)
+title: 5069(S, F) A cryptographic function property operation was attempted.
description: Describes security event 5069(S, F) A cryptographic function property operation was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index ba4785e01b..079cb18504 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -1,11 +1,11 @@
---
-title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10)
+title: 5070(S, F) A cryptographic function property modification was attempted.
description: Describes security event 5070(S, F) A cryptographic function property modification was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index e935d656d9..e71aa708cc 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -1,11 +1,11 @@
---
-title: 5136(S) A directory service object was modified. (Windows 10)
+title: 5136(S) A directory service object was modified.
description: Describes security event 5136(S) A directory service object was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index bed5eae208..e7d10b0197 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -1,11 +1,11 @@
---
-title: 5137(S) A directory service object was created. (Windows 10)
+title: 5137(S) A directory service object was created.
description: Describes security event 5137(S) A directory service object was created.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 12d981909a..1120df1fc3 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -1,11 +1,11 @@
---
-title: 5138(S) A directory service object was undeleted. (Windows 10)
+title: 5138(S) A directory service object was undeleted.
description: Describes security event 5138(S) A directory service object was undeleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index 6799a4e50d..09ca54dca4 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -1,11 +1,11 @@
---
-title: 5139(S) A directory service object was moved. (Windows 10)
+title: 5139(S) A directory service object was moved.
description: Describes security event 5139(S) A directory service object was moved.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index 602e1d4024..d79d99892e 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -1,11 +1,11 @@
---
-title: 5140(S, F) A network share object was accessed. (Windows 10)
+title: 5140(S, F) A network share object was accessed.
description: Describes security event 5140(S, F) A network share object was accessed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index 046ca20f9d..e70a399593 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -1,11 +1,11 @@
---
-title: 5141(S) A directory service object was deleted. (Windows 10)
+title: 5141(S) A directory service object was deleted.
description: Describes security event 5141(S) A directory service object was deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 3a69208c29..790b6ea8f0 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -1,11 +1,11 @@
---
-title: 5142(S) A network share object was added. (Windows 10)
+title: 5142(S) A network share object was added.
description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index e92068c93a..e26f69e294 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -1,11 +1,11 @@
---
-title: 5143(S) A network share object was modified. (Windows 10)
+title: 5143(S) A network share object was modified.
description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index da401f212d..6d6a16e1af 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -1,11 +1,11 @@
---
-title: 5144(S) A network share object was deleted. (Windows 10)
+title: 5144(S) A network share object was deleted.
description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 7b34010d4c..32fef4024d 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -1,11 +1,11 @@
---
-title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10)
+title: 5145(S, F) A network share object was checked to see whether client can be granted desired access.
description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 5442a8a705..291a541e11 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -1,11 +1,11 @@
---
-title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10)
+title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 7e0dc6dd45..0f37543acf 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -1,11 +1,11 @@
---
-title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10)
+title: 5149(F) The DoS attack has subsided and normal processing is being resumed.
description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 80c82d807e..aa56f896dc 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -1,11 +1,11 @@
---
-title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10)
+title: 5150(-) The Windows Filtering Platform blocked a packet.
description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 6b7d1453bf..22dcd9a63e 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -1,11 +1,11 @@
---
-title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet.
description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index e5a76da383..363a095741 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -1,11 +1,11 @@
---
-title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10)
+title: 5152(F) The Windows Filtering Platform blocked a packet.
description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index a321b76f20..a46227f056 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -1,11 +1,11 @@
---
-title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index 9b2425ff9c..76424d3ca5 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -1,11 +1,11 @@
---
-title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
+title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index e6efebdae1..89e206fdbb 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -1,11 +1,11 @@
---
-title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
+title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index 3d56301b24..95b20ccfcf 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -1,11 +1,11 @@
---
-title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10)
+title: 5156(S) The Windows Filtering Platform has permitted a connection.
description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 4f62c99d51..cce391d0d8 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -1,11 +1,11 @@
---
-title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)
+title: 5157(F) The Windows Filtering Platform has blocked a connection.
description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index cbc0d2d4ee..7152b22478 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -1,11 +1,11 @@
---
-title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)
+title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index ffe34518c5..1c163b30dc 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -1,11 +1,11 @@
---
-title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
+title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index f0ae1f47a8..f961f15bab 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -1,11 +1,11 @@
---
-title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
+title: 5168(F) SPN check for SMB/SMB2 failed.
description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index ee08c45c93..0f2be5a04a 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -1,11 +1,11 @@
---
-title: 5376(S) Credential Manager credentials were backed up. (Windows 10)
+title: 5376(S) Credential Manager credentials were backed up.
description: Describes security event 5376(S) Credential Manager credentials were backed up.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index a6f12f74f5..d5a1660220 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -1,11 +1,11 @@
---
-title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10)
+title: 5377(S) Credential Manager credentials were restored from a backup.
description: Describes security event 5377(S) Credential Manager credentials were restored from a backup.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index b6391769da..25c68deee6 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -1,11 +1,11 @@
---
-title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10)
+title: 5378(F) The requested credentials delegation was disallowed by policy.
description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 96b013cf8c..d1ffd6b03d 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -1,11 +1,11 @@
---
-title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10)
+title: 5447(S) A Windows Filtering Platform filter has been changed.
description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index 676a79172e..0815f5d12f 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -1,11 +1,11 @@
---
-title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10)
+title: 5632(S, F) A request was made to authenticate to a wireless network.
description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index e661c80301..bf786c1d2d 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -1,11 +1,11 @@
---
-title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10)
+title: 5633(S, F) A request was made to authenticate to a wired network.
description: Describes security event 5633(S, F) A request was made to authenticate to a wired network.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 32d5ba732a..a7ec0a5e10 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -1,11 +1,11 @@
---
-title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10)
+title: 5712(S) A Remote Procedure Call (RPC) was attempted.
description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 72e18b5e28..47bfb7e52c 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -1,11 +1,11 @@
---
-title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10)
+title: 5888(S) An object in the COM+ Catalog was modified.
description: Describes security event 5888(S) An object in the COM+ Catalog was modified.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index 178ec29a4f..21bced3526 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -1,11 +1,11 @@
---
-title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10)
+title: 5889(S) An object was deleted from the COM+ Catalog.
description: Describes security event 5889(S) An object was deleted from the COM+ Catalog.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index 4f473d2a4e..652453190a 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -1,11 +1,11 @@
---
-title: 5890(S) An object was added to the COM+ Catalog. (Windows 10)
+title: 5890(S) An object was added to the COM+ Catalog.
description: Describes security event 5890(S) An object was added to the COM+ Catalog.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 3eb1181321..b58495dff5 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -1,11 +1,11 @@
---
-title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10)
+title: 6144(S) Security policy in the group policy objects has been applied successfully.
description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index b062b5e023..690cca9856 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -1,11 +1,11 @@
---
-title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
+title: 6145(F) One or more errors occurred while processing security policy in the group policy objects.
description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index 38f432d51a..b740282ddf 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -1,11 +1,11 @@
---
-title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. (Windows 10)
+title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid.
description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index a588c35204..8ea567df22 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -1,11 +1,11 @@
---
-title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)
+title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 82502eb7ff..6216a8ab19 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -1,11 +1,11 @@
---
-title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)
+title: 6401(-) BranchCache Received invalid data from a peer. Data discarded.
description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index d5d3febf63..6e00df66af 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -1,11 +1,11 @@
---
-title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)
+title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index 2f9d945388..92b228cf4a 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -1,11 +1,11 @@
---
-title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)
+title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index f37bea1b9e..ef4073df30 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -1,11 +1,11 @@
---
-title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)
+title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index 1feed0f6a6..63fc073a30 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -1,11 +1,11 @@
---
-title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)
+title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index fdd75af38b..057f4579b7 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -1,11 +1,11 @@
---
-title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)
+title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index c2f279466e..40c5e05deb 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -1,11 +1,11 @@
---
-title: 6407(-) 1%. (Windows 10)
+title: 6407(-) 1%.
description: Describes security event 6407(-) 1%. This event is a BranchCache event, which is outside the scope of this document.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 36f25a9b69..6c5f475831 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -1,11 +1,11 @@
---
-title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10)
+title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 3f406625b5..c1fbba806a 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -1,11 +1,11 @@
---
-title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10)
+title: 6409(-) BranchCache A service connection point object could not be parsed.
description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index 958db95565..a2b8474480 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -1,11 +1,11 @@
---
-title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. (Windows 10)
+title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process.
description: Describes security event 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 64cdb17ee1..352f1eabbb 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -1,11 +1,11 @@
---
-title: 6416(S) A new external device was recognized by the System. (Windows 10)
+title: 6416(S) A new external device was recognized by the System.
description: Describes security event 6416(S) A new external device was recognized by the System.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index 7368059899..e44f35c6ff 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -1,11 +1,11 @@
---
-title: 6419(S) A request was made to disable a device. (Windows 10)
+title: 6419(S) A request was made to disable a device.
description: Describes security event 6419(S) A request was made to disable a device.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 2c7166a78d..951cd5e25d 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -1,11 +1,11 @@
---
-title: 6420(S) A device was disabled. (Windows 10)
+title: 6420(S) A device was disabled.
description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index ae72b11254..866bdda53e 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -1,11 +1,11 @@
---
-title: 6421(S) A request was made to enable a device. (Windows 10)
+title: 6421(S) A request was made to enable a device.
description: Describes security event 6421(S) A request was made to enable a device.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index bf594b6937..7411ffa42b 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -1,11 +1,11 @@
---
-title: 6422(S) A device was enabled. (Windows 10)
+title: 6422(S) A device was enabled.
description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 4f7fcb614c..ebf46bad15 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -1,11 +1,11 @@
---
-title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10)
+title: 6423(S) The installation of this device is forbidden by system policy.
description: Describes security event 6423(S) The installation of this device is forbidden by system policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 10d33c2820..ef8f789bd2 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -1,11 +1,11 @@
---
-title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10)
+title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: none
+ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/09/2021
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index 90b8df1a2d..a248fd4f79 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -1,5 +1,5 @@
---
-title: File System (Global Object Access Auditing) (Windows 10)
+title: File System (Global Object Access Auditing)
description: The policy setting, File System (Global Object Access Auditing), enables you to configure a global system access control list (SACL) for an entire computer.
ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
ms.reviewer:
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index d2af1d3d31..c9acfc2f7a 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -1,5 +1,5 @@
---
-title: How to get a list of XML data name elements in
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] |
| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] |
-## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
+## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore haven't been brought into Windows 10.
@@ -322,7 +322,7 @@ One of EMET's strengths is that it allows you to import and export configuration
Install-Module -Name ProcessMitigations
```
-The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file.
+The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file.
To get the current settings on all running instances of notepad.exe:
@@ -377,7 +377,7 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath
|
-| **Allow Microsoft Mode** | Allow mode will authorize the following components:
|
-| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components:
|
-
-*Italicized content denotes the changes in the current policy with respect to the policy prior.*
-
-More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example Windows Defender Application Control base policies article](example-wdac-base-policies.md).
-
-
-
-Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
-
-## Configuring Policy Rules
-
-Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule will appear at the bottom of the page when the mouse hovers over the rule title.
-
-### Policy Rules Description
-
-A description of each policy rule, beginning with the left-most column, is provided below. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a full description of each policy rule.
-
-| Rule option | Description |
-|------------ | ----------- |
-| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all Windows Defender Application Control policies. Setting this rule option allows the F8 menu to appear to physically present users. |
-| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
-| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 isn't supported and may have unintended results. |
-|**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
-| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). |
-| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
-| **Require WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Henceforth, every new Windows–compatible driver must be WHQL certified. |
-| **Update Policy without Rebooting** | Use this option to allow future Windows Defender Application Control policy updates to apply without requiring a system reboot. |
-| **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
-| **User Mode Code Integrity** | Windows Defender Application Control policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
-
-> [!div class="mx-imgBorder"]
-> 
-
-### Advanced Policy Rules Description
-
-Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. A description of each policy rule is provided below.
-
-| Rule option | Description |
-|------------ | ----------- |
-| **Boot Audit on Failure** | Used when the Windows Defender Application Control (WDAC) policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
-| **Disable Flight Signing** | If enabled, WDAC policies won't trust flightroot-signed binaries. This option would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
-| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that's only writable by an administrator) for any FileRule that allows a file based on FilePath. |
-| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
-| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
-| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement. |
-
-
-
-> [!NOTE]
-> We recommend that you **enable Audit Mode** initially because it allows you to test new Windows Defender Application Control policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
-
-## Creating custom file rules
-
-[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules:
-
-### Publisher Rules
-
-The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding Windows Defender Application Control (WDAC) rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
-
-| Rule Condition | WDAC Rule Level | Description |
-|------------ | ----------- | ----------- |
-| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
-| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example, a device driver corp, is affected. |
-| **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
-| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
-
-
-
-
-### Filepath Rules
-
-Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
-
-### File Attribute Rules
-
-The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
-
-| Rule level | Description |
-|------------ | ----------- |
-| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
-| **File description** | Specifies the file description provided by the developer of the binary. |
-| **Product name** | Specifies the name of the product with which the binary ships. |
-| **Internal name** | Specifies the internal name of the binary. |
-
-> [!div class="mx-imgBorder"]
-> 
-
-### File Hash Rules
-
-Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product version's hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level.
-
-#### Deleting Signing Rules
-
-The policy signing rules list table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. You'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.
-
-## Up next
-
-- [Editing a Windows Defender Application Control (WDAC) policy using the Wizard](wdac-wizard-editing-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
deleted file mode 100644
index 53a8d5c954..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Windows Defender Application Control Wizard Supplemental Policy Creation
-description: Creating supplemental application control policies with the WDAC Wizard.
-keywords: allowlisting, blocklisting, security, malware, supplemental policy
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: jgeurten
-ms.reviewer: isbrahm
-ms.author: vinpa
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 10/14/2020
-ms.technology: itpro-security
----
-
-# Creating a new Supplemental Policy with the Wizard
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-
-Beginning in Windows 10 version 1903, Windows Defender Application Control (WDAC) supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When supplemental policies are being used, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
-
-Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
-
-## Expanding a Base Policy
-
-Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
-
-
-
-If the base policy isn't configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
-
-
-
-Policies that can't be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
-
-
-
-## Configuring Policy Rules
-
-Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and won't be modifiable in the user interface.
-
-A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title.
-
-### Configurable Supplemental Policy Rules Description
-
-There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules.
-
-
-| Rule option | Description |
-|------------ | ----------- |
-| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
-| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
-| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
-
-
-
-## Creating custom file rules
-
-File rules in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules:
-
-### Publisher Rules
-
-The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding Windows Defender Application Control (WDAC) rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
-
-| Rule Condition | WDAC Rule Level | Description |
-|------------ | ----------- | ----------- |
-| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
-| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example, a device driver publisher, is affected. |
-| **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
-| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
-
-
-
-
-### Filepath Rules
-
-Filepath rules don't provide the same security guarantees that explicit signer rules do, as they're based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
-
-### File Attribute Rules
-
-The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
-
-| Rule level | Description |
-|------------ | ----------- |
-| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
-| **File description** | Specifies the file description provided by the developer of the binary. |
-| **Product name** | Specifies the name of the product with which the binary ships. |
-| **Internal name** | Specifies the internal name of the binary. |
-
-
-
-
-### File Hash Rules
-
-Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level.
-
-
-#### Deleting Signing Rules
-
-The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.
-
-## Up next
-
-- [Editing a Windows Defender Application Control (WDAC) policy using the Wizard](wdac-wizard-editing-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
deleted file mode 100644
index b85fb0dfe8..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Account protection in the Windows Security app
-description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-ms.technology: itpro-security
-ms.topic: article
----
-
-
-# Account protection
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
-
-- [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md)
-- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
-
-You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
-
-## Hide the Account protection section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-You can only configure these settings by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Account protection**.
-
-6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
deleted file mode 100644
index d56e6ecd4f..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Device security in the Windows Security app
-description: Use the Device security section to manage security built into your device, including virtualization-based security.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
-ms.topic: article
----
-
-# Device security
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Device security** section contains information and settings for built-in device security.
-
-You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
-## Hide the Device security section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
-
-> [!IMPORTANT]
-> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
-## Disable the Clear TPM button
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
-
-> [!IMPORTANT]
-> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
-## Hide the TPM Firmware Update recommendation
-If you don't want users to see the recommendation to update TPM firmware, you can disable it.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
deleted file mode 100644
index cfb558208e..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Virus and threat protection in the Windows Security app
-description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
-keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
-
-# Virus and threat protection
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
-
-In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
-
-IT administrators and IT pros can get more configuration information from these articles:
-
-- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
-- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
-- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
-- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
-- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
-- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
-
-You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
-
-
-## Hide the Virus & threat protection section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-This section can be hidden only by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
-
-6. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
-## Hide the Ransomware protection area
-
-You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
-
-This area can be hidden only by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
-
-6. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml
deleted file mode 100644
index ca84e461a5..0000000000
--- a/windows/security/threat-protection/windows-firewall/TOC.yml
+++ /dev/null
@@ -1,254 +0,0 @@
-- name: Windows Firewall with Advanced Security
- href: windows-firewall-with-advanced-security.md
- items:
- - name: Plan deployment
- items:
- - name: Design guide
- href: windows-firewall-with-advanced-security-design-guide.md
- - name: Design process
- href: understanding-the-windows-firewall-with-advanced-security-design-process.md
- - name: Implementation goals
- items:
- - name: Identify implementation goals
- href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
- - name: Protect devices from unwanted network traffic
- href: protect-devices-from-unwanted-network-traffic.md
- - name: Restrict access to only trusted devices
- href: restrict-access-to-only-trusted-devices.md
- - name: Require encryption
- href: require-encryption-when-accessing-sensitive-network-resources.md
- - name: Restrict access
- href: restrict-access-to-only-specified-users-or-devices.md
- - name: Implementation designs
- items:
- - name: Mapping goals to a design
- href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
- - name: Basic firewall design
- href: basic-firewall-policy-design.md
- items:
- - name: Basic firewall design example
- href: firewall-policy-design-example.md
- - name: Domain isolation design
- href: domain-isolation-policy-design.md
- items:
- - name: Domain isolation design example
- href: domain-isolation-policy-design-example.md
- - name: Server isolation design
- href: server-isolation-policy-design.md
- items:
- - name: Server Isolation design example
- href: server-isolation-policy-design-example.md
- - name: Certificate-based isolation design
- href: certificate-based-isolation-policy-design.md
- items:
- - name: Certificate-based Isolation design example
- href: certificate-based-isolation-policy-design-example.md
- - name: Design planning
- items:
- - name: Planning your design
- href: planning-your-windows-firewall-with-advanced-security-design.md
- - name: Planning settings for a basic firewall policy
- href: planning-settings-for-a-basic-firewall-policy.md
- - name: Planning domain isolation zones
- items:
- - name: Domain isolation zones
- href: planning-domain-isolation-zones.md
- - name: Exemption list
- href: exemption-list.md
- - name: Isolated domain
- href: isolated-domain.md
- - name: Boundary zone
- href: boundary-zone.md
- - name: Encryption zone
- href: encryption-zone.md
- - name: Planning server isolation zones
- href: planning-server-isolation-zones.md
- - name: Planning certificate-based authentication
- href: planning-certificate-based-authentication.md
- items:
- - name: Documenting the Zones
- href: documenting-the-zones.md
- - name: Planning group policy deployment for your isolation zones
- href: planning-group-policy-deployment-for-your-isolation-zones.md
- items:
- - name: Planning isolation groups for the zones
- href: planning-isolation-groups-for-the-zones.md
- - name: Planning network access groups
- href: planning-network-access-groups.md
- - name: Planning the GPOs
- href: planning-the-gpos.md
- items:
- - name: Firewall GPOs
- href: firewall-gpos.md
- items:
- - name: GPO_DOMISO_Firewall
- href: gpo-domiso-firewall.md
- - name: Isolated domain GPOs
- href: isolated-domain-gpos.md
- items:
- - name: GPO_DOMISO_IsolatedDomain_Clients
- href: gpo-domiso-isolateddomain-clients.md
- - name: GPO_DOMISO_IsolatedDomain_Servers
- href: gpo-domiso-isolateddomain-servers.md
- - name: Boundary zone GPOs
- href: boundary-zone-gpos.md
- items:
- - name: GPO_DOMISO_Boundary
- href: gpo-domiso-boundary.md
- - name: Encryption zone GPOs
- href: encryption-zone-gpos.md
- items:
- - name: GPO_DOMISO_Encryption
- href: gpo-domiso-encryption.md
- - name: Server isolation GPOs
- href: server-isolation-gpos.md
- - name: Planning GPO deployment
- href: planning-gpo-deployment.md
- - name: Planning to deploy
- href: planning-to-deploy-windows-firewall-with-advanced-security.md
- - name: Deployment guide
- items:
- - name: Deployment overview
- href: windows-firewall-with-advanced-security-deployment-guide.md
- - name: Implementing your plan
- href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
- - name: Basic firewall deployment
- items:
- - name: "Checklist: Implementing a basic firewall policy design"
- href: checklist-implementing-a-basic-firewall-policy-design.md
- - name: Domain isolation deployment
- items:
- - name: "Checklist: Implementing a Domain Isolation Policy Design"
- href: checklist-implementing-a-domain-isolation-policy-design.md
- - name: Server isolation deployment
- items:
- - name: "Checklist: Implementing a Standalone Server Isolation Policy Design"
- href: checklist-implementing-a-standalone-server-isolation-policy-design.md
- - name: Certificate-based authentication
- items:
- - name: "Checklist: Implementing a Certificate-based Isolation Policy Design"
- href: checklist-implementing-a-certificate-based-isolation-policy-design.md
- - name: Best practices
- items:
- - name: Configuring the firewall
- href: best-practices-configuring.md
- - name: Securing IPsec
- href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
- - name: PowerShell
- href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
- - name: Isolating Microsoft Store Apps on Your Network
- href: isolating-apps-on-your-network.md
- - name: How-to
- items:
- - name: Add Production devices to the membership group for a zone
- href: add-production-devices-to-the-membership-group-for-a-zone.md
- - name: Add test devices to the membership group for a zone
- href: add-test-devices-to-the-membership-group-for-a-zone.md
- - name: Assign security group filters to the GPO
- href: assign-security-group-filters-to-the-gpo.md
- - name: Change rules from request to require mode
- href: Change-Rules-From-Request-To-Require-Mode.Md
- - name: Configure authentication methods
- href: Configure-authentication-methods.md
- - name: Configure data protection (Quick Mode) settings
- href: configure-data-protection-quick-mode-settings.md
- - name: Configure Group Policy to autoenroll and deploy certificates
- href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
- - name: Configure key exchange (main mode) settings
- href: configure-key-exchange-main-mode-settings.md
- - name: Configure the rules to require encryption
- href: configure-the-rules-to-require-encryption.md
- - name: Configure the Windows Firewall log
- href: configure-the-windows-firewall-log.md
- - name: Configure the workstation authentication certificate template
- href: configure-the-workstation-authentication-certificate-template.md
- - name: Configure Windows Firewall to suppress notifications when a program is blocked
- href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
- - name: Confirm that certificates are deployed correctly
- href: confirm-that-certificates-are-deployed-correctly.md
- - name: Copy a GPO to create a new GPO
- href: copy-a-gpo-to-create-a-new-gpo.md
- - name: Create a Group Account in Active Directory
- href: create-a-group-account-in-active-directory.md
- - name: Create a Group Policy Object
- href: create-a-group-policy-object.md
- - name: Create an authentication exemption list rule
- href: create-an-authentication-exemption-list-rule.md
- - name: Create an authentication request rule
- href: create-an-authentication-request-rule.md
- - name: Create an inbound ICMP rule
- href: create-an-inbound-icmp-rule.md
- - name: Create an inbound port rule
- href: create-an-inbound-port-rule.md
- - name: Create an inbound program or service rule
- href: create-an-inbound-program-or-service-rule.md
- - name: Create an outbound port rule
- href: create-an-outbound-port-rule.md
- - name: Create an outbound program or service rule
- href: create-an-outbound-program-or-service-rule.md
- - name: Create inbound rules to support RPC
- href: create-inbound-rules-to-support-rpc.md
- - name: Create WMI filters for the GPO
- href: create-wmi-filters-for-the-gpo.md
- - name: Create Windows Firewall rules in Intune
- href: create-windows-firewall-rules-in-intune.md
- - name: Enable predefined inbound rules
- href: enable-predefined-inbound-rules.md
- - name: Enable predefined outbound rules
- href: enable-predefined-outbound-rules.md
- - name: Exempt ICMP from authentication
- href: exempt-icmp-from-authentication.md
- - name: Link the GPO to the domain
- href: link-the-gpo-to-the-domain.md
- - name: Modify GPO filters
- href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
- - name: Open IP security policies
- href: open-the-group-policy-management-console-to-ip-security-policies.md
- - name: Open Group Policy
- href: open-the-group-policy-management-console-to-windows-firewall.md
- - name: Open Group Policy
- href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
- - name: Open Windows Firewall
- href: open-windows-firewall-with-advanced-security.md
- - name: Restrict server access
- href: restrict-server-access-to-members-of-a-group-only.md
- - name: Enable Windows Firewall
- href: turn-on-windows-firewall-and-configure-default-behavior.md
- - name: Verify Network Traffic
- href: verify-that-network-traffic-is-authenticated.md
- - name: References
- items:
- - name: "Checklist: Creating Group Policy objects"
- href: checklist-creating-group-policy-objects.md
- - name: "Checklist: Creating inbound firewall rules"
- href: checklist-creating-inbound-firewall-rules.md
- - name: "Checklist: Creating outbound firewall rules"
- href: checklist-creating-outbound-firewall-rules.md
- - name: "Checklist: Configuring basic firewall settings"
- href: checklist-configuring-basic-firewall-settings.md
- - name: "Checklist: Configuring rules for the isolated domain"
- href: checklist-configuring-rules-for-the-isolated-domain.md
- - name: "Checklist: Configuring rules for the boundary zone"
- href: checklist-configuring-rules-for-the-boundary-zone.md
- - name: "Checklist: Configuring rules for the encryption zone"
- href: checklist-configuring-rules-for-the-encryption-zone.md
- - name: "Checklist: Configuring rules for an isolated server zone"
- href: checklist-configuring-rules-for-an-isolated-server-zone.md
- - name: "Checklist: Configuring rules for servers in a standalone isolated server zone"
- href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
- - name: "Checklist: Creating rules for clients of a standalone isolated server zone"
- href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
- - name: "Appendix A: Sample GPO template files for settings used in this guide"
- href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
- - name: Troubleshooting
- items:
- - name: Troubleshooting UWP app connectivity issues in Windows Firewall
- href: troubleshooting-uwp-firewall.md
- - name: Filter origin audit log improvements
- href: filter-origin-documentation.md
- - name: Quarantine behavior
- href: quarantine.md
- - name: Firewall settings lost on upgrade
- href: firewall-settings-lost-on-upgrade.md
-- name: Windows security
- href: /windows/security/
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
new file mode 100644
index 0000000000..06b59128cd
--- /dev/null
+++ b/windows/security/toc.yml
@@ -0,0 +1,26 @@
+items:
+- name: Windows security
+ href: index.yml
+ expanded: true
+- name: Introduction
+ items:
+ - name: Windows security overview
+ href: introduction/index.md
+ - name: Zero Trust and Windows
+ href: zero-trust-windows-device-health.md
+ - name: Security features licensing and edition requirements
+ href: licensing-and-edition-requirements.md
+- name: Hardware security
+ href: hardware-security/toc.yml
+- name: Operating system security
+ href: operating-system-security/toc.yml
+- name: Application security
+ href: application-security/toc.yml
+- name: Identity protection
+ href: identity-protection/toc.yml
+- name: Windows Privacy 🔗
+ href: /windows/privacy
+- name: Security foundations
+ href: security-foundations/toc.yml
+- name: Cloud security
+ href: cloud-security/toc.yml
\ No newline at end of file
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index d6159d39a6..b46b7edeaf 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -1,19 +1,19 @@
---
title: Zero Trust and Windows device health
description: Describes the process of Windows device health attestation
-ms.reviewer:
-ms.topic: article
+ms.reviewer:
+ms.topic: conceptual
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
-ms.custom: intro-overview
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
---
# Zero Trust and Windows device health
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments.
+
+Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
@@ -23,16 +23,17 @@ The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) princip
- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
-The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
+The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
+[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
## Device health attestation on Windows
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
+
+ Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
- If the device can be trusted
- If the operating system booted correctly
@@ -40,7 +41,7 @@ Attestation helps verify the identity and status of essential components and tha
These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 0e145097a8..2e144448b8 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,6 +11,8 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
+ - name: Windows 11 temporary enterprise feature control
+ href: temporary-enterprise-feature-control.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10
@@ -24,6 +26,8 @@
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
href: whats-new-windows-10-version-20H2.md
+- name: Windows commercial licensing overview
+ href: windows-licensing.md
- name: Deprecated and removed Windows features
expanded: false
items:
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 6728e2b1bd..330293213d 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -12,15 +12,13 @@ ms.topic: reference
ms.collection:
- highpri
- tier1
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# Resources for deprecated features
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
## Microsoft Support Diagnostic Tool resources
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 84ceba70f7..75692f13ab 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 12/05/2022
+ms.date: 06/08/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -12,15 +12,13 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier1
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# Deprecated features for Windows client
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
@@ -38,6 +36,7 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| ----------- | --------------------- | ---- |
+| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index cdfcb018fb..036ef0bfa2 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -39,9 +39,8 @@
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
- "uhfHeaderId": "MSDocsHeader-M365-IT",
+ "uhfHeaderId": "MSDocsHeader-Windows",
"ms.topic": "article",
- "audience": "ITPro",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index d987cfd951..ffbc2050c9 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -12,13 +12,12 @@ ms.date: 10/28/2022
ms.collection:
- highpri
- tier2
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# Windows client features lifecycle
-Applies to:
-- Windows 10
-- Windows 11
-
Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
## Windows 11 features
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index c988c8ebb4..b99c54cd1c 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -32,6 +32,8 @@ landingContent:
url: windows-11-plan.md
- text: Prepare for Windows 11
url: windows-11-prepare.md
+ - text: Windows commercial licensing overview
+ url: windows-licensing.md
- title: Windows 10
linkLists:
@@ -63,4 +65,4 @@ landingContent:
- text: Compare Windows 11 Editions
url: https://www.microsoft.com/windows/business/compare-windows-11
- text: Windows 10 Enterprise LTSC
- url: ltsc/index.md
+ url: ltsc/overview.md
diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml
index d7d88350ef..3dede78331 100644
--- a/windows/whats-new/ltsc/TOC.yml
+++ b/windows/whats-new/ltsc/TOC.yml
@@ -1,6 +1,8 @@
- name: Windows 10 Enterprise LTSC
- href: index.md
+ href: index.yml
items:
+ - name: Windows 10 Enterprise LTSC overview
+ href: overview.md
- name: What's new in Windows 10 Enterprise LTSC 2021
href: whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019
diff --git a/windows/whats-new/ltsc/index.yml b/windows/whats-new/ltsc/index.yml
new file mode 100644
index 0000000000..4744f04260
--- /dev/null
+++ b/windows/whats-new/ltsc/index.yml
@@ -0,0 +1,49 @@
+### YamlMime:Landing
+
+title: What's new in Windows 10 Enterprise LTSC
+summary: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
+
+metadata:
+ title: What's new in Windows 10 Enterprise LTSC
+ description: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
+ ms.prod: windows-client
+ ms.technology: itpro-fundamentals
+ ms.topic: landing-page
+ ms.collection:
+ - highpri
+ - tier1
+ author: mestew
+ ms.author: mstewart
+ manager: aaroncz
+ ms.date: 05/22/2023
+ localization_priority: medium
+
+landingContent:
+
+ - title: Windows 10 Enterprise LTSC
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows 10 Enterprise LTSC overview
+ url: overview.md
+ - text: What's new in Windows 10 Enterprise LTSC 2021
+ url: whats-new-windows-10-2021.md
+ - text: What's new in Windows 10 Enterprise LTSC 2019
+ url: whats-new-windows-10-2019.md
+ - text: What's new in Windows 10 Enterprise LTSC 2016
+ url: whats-new-windows-10-2016.md
+ - text: What's new in Windows 10 Enterprise LTSC 2015
+ url: whats-new-windows-10-2015.md
+
+ - title: Learn more
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows release health dashboard
+ url: /windows/release-health/
+ - text: Windows 10 update history
+ url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
+ - text: Windows features we're no longer developing
+ url: ../deprecated-features.md
+ - text: Features and functionality removed in Windows
+ url: ../removed-features.md
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/overview.md
similarity index 90%
rename from windows/whats-new/ltsc/index.md
rename to windows/whats-new/ltsc/overview.md
index e294bee159..2faae9d8de 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/overview.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 Enterprise LTSC
+title: Windows 10 Enterprise LTSC overview
description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
ms.prod: windows-client
author: mestew
@@ -9,16 +9,13 @@ ms.localizationpriority: low
ms.topic: overview
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 10 Enterprise LTSC
---
# Windows 10 Enterprise LTSC
-**Applies to**
-- Windows 10 Enterprise LTSC
-
-## In this topic
-
-This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
+This article provides links to information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index 0663fe6cd9..da9e6df080 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -8,15 +8,14 @@ author: mestew
ms.localizationpriority: low
ms.topic: article
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 02/26/2023
+appliesto:
+ - ✅ Windows 10 Enterprise LTSC 2015
---
# What's new in Windows 10 Enterprise LTSC 2015
-**Applies to**
-- Windows 10 Enterprise LTSC 2015
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
## Deployment
@@ -289,4 +288,4 @@ The new chromium-based Microsoft Edge isn't included in the LTSC release of Wind
## See Also
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
+[Windows 10 Enterprise LTSC](overview.md): A description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 1b70c22e66..ba451305fd 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -9,14 +9,13 @@ ms.localizationpriority: low
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 10 Enterprise LTSC 2016
---
# What's new in Windows 10 Enterprise LTSC 2016
-**Applies to**
-- Windows 10 Enterprise LTSC 2016
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
>[!NOTE]
>Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
@@ -177,4 +176,4 @@ The new chromium-based Microsoft Edge isn't included in the LTSC release of Wind
## See Also
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
+[Windows 10 Enterprise LTSC](overview.md): A description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index d5d3090339..b2c710d264 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -9,14 +9,13 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 04/05/2023
+appliesto:
+ - ✅ Windows 10 Enterprise LTSC 2019
---
# What's new in Windows 10 Enterprise LTSC 2019
-**Applies to**
-- Windows 10 Enterprise LTSC 2019
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](overview.md).
>[!NOTE]
>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
@@ -457,7 +456,7 @@ Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (
Some of the other new CSPs are:
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The dynamic management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The dynamic management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
@@ -577,4 +576,4 @@ See the following example:
## See also
-[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
+[Windows 10 Enterprise LTSC](overview.md): A short description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 79dff6896a..48b3e3b651 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -9,14 +9,13 @@ ms.localizationpriority: high
ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 04/05/2023
+appliesto:
+ - ✅ Windows 10 Enterprise LTSC 2021
---
# What's new in Windows 10 Enterprise LTSC 2021
-**Applies to**
-- Windows 10 Enterprise LTSC 2021
-
-This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](overview.md).
> [!NOTE]
> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
@@ -244,4 +243,4 @@ WPA3 H2E standards are supported for enhanced Wi-Fi security.
## See Also
-[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
+[Windows 10 Enterprise LTSC](overview.md): A short description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index 0cfa8fb10e..d837c8fa8c 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -12,15 +12,13 @@ ms.date: 01/05/2023
ms.collection:
- highpri
- tier1
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# Features and functionality removed in Windows client
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client.
For more information about features that might be removed in a future release, see [Deprecated features for Windows client](deprecated-features.md).
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
new file mode 100644
index 0000000000..b20be1c0ab
--- /dev/null
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -0,0 +1,48 @@
+---
+title: Temporary enterprise feature control in Windows 11
+description: Learn about the Windows 11 features behind temporary enterprise feature control.
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.localizationpriority: medium
+ms.topic: reference
+ms.date: 05/19/2023
+ms.collection:
+ - highpri
+ - tier2
+appliesto:
+ - ✅ Windows 11, version 22H2 and later
+---
+
+# Temporary enterprise feature control in Windows 11
+
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.
+
+## Windows 11 features behind temporary enterprise feature control
+
+The following features are behind temporary enterprise control in Windows 11:
+
+| Feature | KB article where the feature was introduced | Feature update that ends temporary control |
+|---|---|---|
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update |
+
+## Enable features behind temporary enterprise feature control
+
+Features that are behind temporary enterprise control will be enabled when one of the following conditions is met:
+
+- The device installs the annual feature update that enables the new features by default
+- The device receives a policy that enables features behind temporary enterprise control
+ - When the policy is enabled, all features on the device behind temporary control are turned on when the device next restarts.
+
+## Policy settings for temporary enterprise feature control
+
+You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
+
+- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
+
+- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
+ - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 8a8e9a3e7e..b62a1a7579 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -212,7 +212,7 @@ Windows 10, version 1703 adds many new [configuration service providers (CSPs)](
Some of the other new CSPs are:
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 602a7fcac7..c0202f98fe 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -55,7 +55,10 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+
+>[!NOTE]
+>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
## Virtualization
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 3030181ea5..37a10475d2 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -12,13 +12,12 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 10, version 20H2
---
# What's new in Windows 10, version 20H2 for IT Pros
-**Applies to**
-- Windows 10, version 20H2
-
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.
> [!NOTE]
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index af47ae3987..3b134e5092 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -12,13 +12,12 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 10, version 21H1
---
# What's new in Windows 10, version 21H1 for IT Pros
-**Applies to**
-- Windows 10, version 21H1
-
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2.
Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 0e8808f228..8b06af0956 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -12,14 +12,12 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 10, version 21H2
---
# What's new in Windows 10, version 21H2
-**Applies to**:
-
-- Windows 10, version 21H2
-
Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1.
Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
index e1ecaecbb0..5c158152d8 100644
--- a/windows/whats-new/whats-new-windows-10-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -12,6 +12,8 @@ ms.date: 10/18/2022
ms.collection:
- highpri
- tier2
+appliesto:
+ - ✅ Windows 10, version 22H2
---
# What's new in Windows 10, version 22H2
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index bb565c5358..dbefc450e8 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -12,11 +12,11 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 11, version 22H2
---
# What's new in Windows 11, version 22H2
-
-**Applies to**: Windows 11, version 22H2
Windows 11, version 22H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version. This article lists the new and updated features IT Pros should know.
@@ -40,7 +40,7 @@ For more information, see [Microsoft Pluton security processor](/windows/securit
**Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** helps protect Microsoft school or work passwords against phishing and unsafe usage on websites and in applications. Enhanced Phishing Protection works alongside Windows security protections to help protect Windows 11 work or school sign-in passwords.
-For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog.
+For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog.
## Smart App Control
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index df91262622..90928f5742 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -12,14 +12,12 @@ ms.topic: overview
ms.collection:
- highpri
- tier1
+appliesto:
+ - ✅ Windows 11
---
# Windows 11 overview
-**Applies to**:
-
-- Windows 11
-
Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index ce4a6efa32..346990f31f 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -12,17 +12,14 @@ ms.collection:
- tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 11
---
# Plan for Windows 11
-**Applies to**
-
-- Windows 11
-
-## Deployment planning
-
This article provides guidance to help you plan for Windows 11 in your organization.
+## Deployment planning
Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—and the same basic deployment strategy that you use today for Windows 10. You'll need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11.
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 9a0cdaf844..6e9047c606 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -12,15 +12,13 @@ ms.collection:
- tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# Prepare for Windows 11
-**Applies to**
-
-- Windows 11
-- Windows 10
-
Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks.
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 74230a9b73..f596c4e962 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -12,14 +12,13 @@ ms.collection:
- tier1
ms.technology: itpro-fundamentals
ms.date: 02/13/2023
+appliesto:
+ - ✅ Windows 11
+
---
# Windows 11 requirements
-**Applies to**
-
-- Windows 11
-
This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
## Hardware requirements
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
new file mode 100644
index 0000000000..3a56385d67
--- /dev/null
+++ b/windows/whats-new/windows-licensing.md
@@ -0,0 +1,213 @@
+---
+title: Windows commercial licensing overview
+description: Learn about products and use rights available through Windows commercial licensing.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier2
+ms.topic: conceptual
+ms.date: 05/04/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows Commercial Licensing overview
+
+This document provides an overview of the products and use rights available through Microsoft Commercial Licensing, information about the products that are eligible for upgrades, and the key choices you have for using Windows in your organization.
+
+> [!NOTE]
+> The content of this article doesn't replace or override other licensing documentation, such as the Windows 11 End User License Agreement or [Commercial Licensing Product Terms][EXT-4].
+
+## Windows 11 editions
+
+The following table lists the editions of Windows 11 available through each Microsoft distribution channel:
+
+| Full Packaged Product (Retail) | Preinstalled on device (OEM)|Commercial Licensing|
+|-|-|-|
+|Windows 11 Home
Windows 11 Pro|Windows 11 Home
Windows 11 Pro|Windows 11 Pro
Windows 11 Enterprise
Windows 11 Enterprise LTSC|
+
+## Windows desktop offerings available through Commercial Licensing
+
+The following offerings are available for purchase through [Microsoft Commercial Licensing][EXT-5]:
+
+|Product|Description|Availability|
+|-|-|-|
+|Windows 11 Pro Upgrade |Windows 11 Pro is designed for small and medium businesses. Windows 11 Pro enables organizations to manage devices and apps, protect their data, facilitate remote and mobile scenarios, while taking advantage of the cloud technologies that support their business. Windows 11 Pro devices are a good choice for organizations that support *choose your own device (CYOD)* programs and *prosumer* customers. | The Windows 11 Pro Upgrade in Commercial Licensing upgrades a device from a previous version of Windows Pro.|
+|Windows 11 Enterprise E3|Windows 11 Enterprise E3 is intended for large and medium-sized organizations. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights. Examples include advanced identity protection, the broadest range of options for operating system deployment, update control, and device management. |Windows 11 Enterprise E3 is available **per-user** in Commercial Licensing programs. It requires Windows Pro as qualifying operating systems.|
+|Windows 11 Enterprise E5|Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks.| Windows 11 Enterprise E5 is available **per-user** in Commercial Licensing programs. It requires Windows Pro as qualifying operating systems.|
+|Windows 10 Enterprise LTSC |Windows 10 Enterprise LTSC is designed for devices that have strict change-management policies with only security and critical bug fixes. By using a Long-Term Servicing Channel edition, you can apply monthly Windows 10 security updates for specialized devices while holding back new-feature updates for an extended period of time, up to five years. | Windows Enterprise LTSC is available in the **per-user** and **per-device** model, depending on the Volume Licensing program through which it's acquired.|
+|Windows Virtual Desktop Access (VDA) Subscription License|The Windows VDA subscription license provides the right to access virtual Windows desktop environments from devices that aren't covered by a Commercial Licensing offer that includes VDA rights, such as thin clients. |Windows VDA is available on a **per-device** and **per-user** basis.|
+
+## Windows 11 Pro Upgrade license
+
+Windows 11 Pro is designed for small and medium businesses. Windows 11 Pro enables you to manage your devices and apps, protect your business data, facilitate remote and mobile scenarios, and take advantage of the cloud technologies for your organization.
+
+The Windows 11 Pro Upgrade license is recommended if you want to:
+
+- Upgrade a Windows 10 Pro device to Windows 11 Pro
+- Upgrade Windows 7/8/8.1 Pro devices to Windows 10 Pro
+
+## Windows 11 Enterprise
+
+There are two core Windows 11 Enterprise offers: **Windows 11 Enterprise E3** and **Windows 11 Enterprise E5**. These offers can be purchased on a **per-user basis**, and are only available through **Commercial Licensing**, including the **Cloud Solution Provider** program.
+
+### Windows 11 Enterprise E3
+
+Windows 11 Enterprise E3 builds on Windows 11 Pro by adding more advanced features designed to address the needs of large and mid-size organizations. Examples include advanced protection against modern security threats, the broadest range of options for operating system deployment and update, and comprehensive device and app management.
+
+> [!NOTE]
+> Windows Enterprise E3 is a **per user subscription**, intended for organizations. It includes **Windows Enterprise edition** with cloud-powered capabilities and **subscription use rights**. Windows Enterprise E3 is usually licensed through Volume Licensing programs and is an upgrade from Windows Pro.
+
+#### Windows 11 Enterprise features
+
+The following table describes the unique Windows Enterprise edition features:
+
+| OS-based feature | Description |
+|-|-|
+|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
+|**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
+|**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |
+|**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
+|**[Direct Access][WINS-1]**|Connect remote users to the organization network without the need for traditional VPN connections.|
+|**[Always-On VPN device tunnel][WINS-2]**|Advanced security capabilities to restrict the type of traffic and which applications can use the VPN connection.|
+|**[Windows Experience customization][WIN-4]**|Settings to lock down the user experience of corporate desktops and Shell Launcher with Unified Write Filter for frontline workers devices or public kiosks.|
+
+#### Windows 11 Enterprise cloud-based capabilities
+
+The following table describes the unique Windows Enterprise cloud-based features:
+
+|Cloud-based feature | Description |
+|-|-|
+|**[Windows subscription activation][WIN-5]**|Enables you to *step-up* from **Windows Pro edition** to **Enterprise edition**. You can eliminate license key management and the deployment of Enterprise edition images.|
+|**[Windows Autopatch][WIN-6]**|Cloud service that puts Microsoft in control of automating updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.|
+|**[Windows Update For Business deployment service][WIN-7]**|This cloud service gives you the control over the approval, scheduling, and safeguarding of quality, feature upgrades, and driver updates delivered from Windows Update.|
+|**[Universal Print][UP-1]**|Removes the need for on-premises print servers and enables any endpoint to print to cloud registered printers.|
+|**[Microsoft Connected Cache][WIN-8]**|A software solution that caches app and OS updates on the local network to save Internet bandwidth in locations with limited connectivity.|
+|**[Endpoint analytics proactive remediation][MEM-1]**|Helps you fix common support issues before end-users notice them.|
+|**[Organizational messages][MEM-2]**|Keeps employees informed with organizational messages directly inserted in Windows UI surfaces.|
+
+#### Windows 11 Enterprise licensing use rights
+
+The following table describes the Windows Enterprise licensing use rights:
+
+|Licensing use rights|Description|
+|-|-|
+|**[Five Windows instances per licensed user][EXT-1]**|Allows your employees to simultaneously use a Windows laptop, a cloud PC and a specialized device with Windows LTSC, and more.|
+|**[36 months (3 years) support on annual feature releases][WIN-9]**|Get extra time to deploy feature releases.|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access][AZ-1]**|Empower flexible work styles and smarter work with the included virtualization access rights. Includes FSLogix for a consistent experience of
+Windows user profiles in virtual desktop environments.|
+|**[Windows release health in the Microsoft 365 admin center][EXT-2]**|Gives you essential information about monthly quality and feature updates in the Microsoft 365 admin center.|
+|**[Windows feature update device readiness report][MEM-3]**|Provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows.|
+|**[Windows feature update compatibility risks reports][MEM-3]**|Provides a summary view of the top compatibility risks, so you understand which compatibility risks impact the greatest number of devices in your organization.|
+|**[Windows LTSC Enterprise][WIN-10]**|Intended for highly specialized devices that require limited changes due to regulations and certification|
+|**[Microsoft Desktop Optimization Pack (MDOP) ][MDOP-1]**|Help improve compatibility and management, reduce support costs, improve asset management, and improve policy control.|
+
+Learn more about [Windows 11 Enterprise E3][EXT-3].
+
+### Windows 11 Enterprise E5
+
+Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a cloud service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks.
+
+Building on the existing security defenses in Windows 11, Microsoft Defender for Device provides a post-breach layer of protection to the Windows 11 security stack. With a combination of client technology built into Windows 11 and a robust cloud service, it can help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
+
+> [!NOTE]
+> Windows 11 Enterprise E5 is available per user in Commercial Licensing programs.
+
+### Windows Enterprise E3 in Microsoft 365 F3
+
+Windows Enterprise E3 subscription license in Microsoft 365 F3 has all the OS features, and most of the cloud services and use rights, included with regular Windows Enterprise E3.
+Windows Enterprise E3 in Microsoft 365 F3 does not include some use rights previously included in Software Assurance benefits that come with the regular E3 user subscription license. F3 does not come with:
+
+- Microsoft Desktop Optimization Pack (MDOP)
+- Windows LTSC Enterprise
+- Windows Autopatch
+
+## Use a Windows Pro device with the Windows Enterprise user subscription license
+
+In most cases, the Windows Pro edition comes pre-installed on a business-class device. Microsoft recommends upgrading your Windows Pro devices to Enterprise edition when you have acquired a user subscription license for Windows. However, there are cases that require to keep devices on the Pro edition and not upgrade them to Enterprise edition. With Windows 11 Enterprise E3, you can take advantage of features, services and use rights not licensed to the Windows Pro license bound to the device. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights, and these capabilities are not always technically enforced. Some scenarios that may require to not upgrade to Windows Enterprise edition:
+
+- Devices not properly provisioned that don't automatically upgrade to Windows Enterprise edition
+- Devices may have been acquired for a business process that was not under control of a central IT department or outside of the IT department's knowledge
+- Devices may be used temporarily for a project by vendors and added to the IT infrastructure, but not upgraded to Enterprise edition
+- A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
+- A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
+
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+
+The following table lists the Windows 11 Enterprise features and their Windows edition requirements:
+
+| OS-based feature |Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
+|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
+|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Direct Access][WINS-1]**|Yes|Yes|
+|**[Always On VPN][WINS-2]**|Yes|Yes|
+|**[Windows Experience customization][WIN-4]**|❌|Yes|
+
+The following table lists the Windows 11 Enterprise cloud-based features and their Windows edition requirements:
+
+| Cloud-based feature |Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Windows subscription activation][WIN-5]**|Yes|Yes|
+|**[Windows Autopatch][WIN-6]**|Yes|Yes|
+|**[Windows Update For Business deployment service][WIN-7]**|Yes|Yes|
+|**[Universal Print][UP-1]**|Yes|Yes|
+|**[Microsoft Connected Cache][WIN-8]**|Yes|Yes|
+|**[Endpoint analytics proactive remediation][MEM-1]**|Yes|Yes|
+|**[Organizational messages][MEM-2]**|❌|Yes|
+
+The following table lists the Windows 11 Enterprise E3 licensing use rights and their Windows edition requirements:
+
+|Licensing use rights|Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Five Windows instances per licensed user][EXT-1]**|n/a|n/a|
+|**[36 months (3 years) support on annual feature releases][WIN-9]**|❌|Yes|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access][AZ-1]**|n/a|n/a|
+|**[Windows release health in the Microsoft 365 admin center][EXT-2]**|n/a|n/a|
+|**[Windows feature update device readiness report][MEM-3]**|Yes|Yes|
+|**[Windows feature update compatibility risks reports][MEM-3]**|Yes|Yes|
+|**[Windows LTSC Enterprise][WIN-10]**|n/a|n/a|
+|**[Microsoft Desktop Optimization Pack (MDOP)][MDOP-1]**|Yes|Yes|
+
+## Next steps
+
+To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Windows 11 licensing guide][EXT-6]. The guide provides additional information to complement the information in this article, including:
+
+- Description of qualifying operating systems
+- Availability of Windows desktop operating system products in licensing programs
+- Deciding between per-device and per-user licensing
+- Windows 11 downgrade rights
+- Volume license activation methods
+- How to acquire licenses through Commercial Licensing
+
+[AZ-1]: /azure/virtual-desktop/prerequisites#operating-systems-and-licenses
+[EXT-1]: https://www.microsoft.com/licensing/terms/productoffering/WindowsDesktopOperatingSystem/EAEAS
+[EXT-2]: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-release-health-now-available-in-the-microsoft-365-admin/ba-p/2235908
+[EXT-3]: https://windows.com/enterprise
+[EXT-4]: https://www.microsoft.com/licensing/product-licensing/products.aspx
+[EXT-5]: https://www.microsoft.com/licensing
+[EXT-6]: https://aka.ms/WindowsLicensingGuide
+[MDOP-1]: /microsoft-desktop-optimization-pack
+[MEM-1]: /mem/analytics/proactive-remediations
+[MEM-2]: /mem/intune/remote-actions/organizational-messages-overview
+[MEM-3]: /mem/intune/protect/windows-update-compatibility-reports
+[UP-1]: /universal-print/
+[WIN-1]: /windows/security/identity-protection/credential-guard/credential-guard
+[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises
+[WIN-3]: /windows/security/information-protection/personal-data-encryption/overview-pde
+[WIN-4]: /windows/client-management/mdm/policy-csp-experience
+[WIN-5]: /windows/deployment/windows-10-subscription-activation
+[WIN-6]: /windows/deployment/windows-autopatch
+[WIN-7]: /windows/deployment/update/deployment-service-overview
+[WIN-8]: /windows/deployment/do/waas-microsoft-connected-cache
+[WIN-9]: /windows/release-health/supported-versions-windows-client#enterprise-and-iot-enterprise-ltsbltsc-editions
+[WIN-10]: /windows/whats-new/ltsc/
+[WIN-11]: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
+[WINS-1]: /windows-server/remote/remote-access/directaccess/directaccess
+[WINS-2]: /windows-server/remote/remote-access/vpn/always-on-vpn/
+