diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 1c089a6ce5..7a13d3b3fc 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1090,7 +1090,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
-Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
@@ -1222,7 +1222,7 @@ First, it automatically becomes an always on profile.
Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
-Third, no other Device Tunnel profile maybe be present on the same machine.
+Third, no other Device Tunnel profile may be present on the same machine.
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
@@ -1587,7 +1587,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
-Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
@@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
@@ -2768,8 +2768,10 @@ Required for native profiles. Type of tunneling protocol used.
-> [!NOTE]
-> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
+> [!NOTE]
+> For a Device Tunnel, use IKEv2 only.
+> For a User Tunnel, any value is allowed.
+> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
@@ -2899,8 +2901,10 @@ List of inbox VPN protocols in priority order.
-> [!NOTE]
-> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
+> [!NOTE]
+> For a User Tunnel up to 4 VPN protocols are supported.
+> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
+> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
@@ -3032,7 +3036,7 @@ Default 168, max 500000.
-RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
+RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
@@ -3115,7 +3119,7 @@ Type of routing policy.
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
@@ -5383,7 +5387,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
-Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
@@ -5823,7 +5827,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
-Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
+Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
@@ -6028,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
@@ -7004,8 +7008,10 @@ Required for native profiles. Type of tunneling protocol used.
-> [!NOTE]
-> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
+> [!NOTE]
+> For a Device Tunnel, use IKEv2 only.
+> For a User Tunnel, any value is allowed.
+> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
@@ -7135,8 +7141,10 @@ List of inbox VPN protocols in priority order.
-> [!NOTE]
-> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
+> [!NOTE]
+> For a User Tunnel up to 4 VPN protocols are supported.
+> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
+> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
@@ -7268,7 +7276,7 @@ Default 168, max 500000.
-RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
+RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
@@ -7351,7 +7359,7 @@ Type of routing policy.
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index 57f6e8b22d..4b2f8a1fe8 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -26,8 +26,11 @@ Here's an example to set AssignedAccess configuration:
1. Download the [psexec tool](/sysinternals/downloads/psexec).
2. Run `psexec.exe -i -s cmd.exe`.
-3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
-4. Execute the following script:
+3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
+
+Step 4 is different for Windows 10 or Windows 11
+
+4. Execute the following script for Windows 10:
```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
@@ -87,3 +90,55 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
Set-CimInstance -CimInstance $obj
```
+4. Execute the following script for Windows 11:
+
+ ```xml
+$nameSpaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+Add-Type -AssemblyName System.Web
+$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
+"@)
+
+Set-CimInstance -CimInstance $obj
+```
\ No newline at end of file
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 87899c2977..0df2e63128 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -22,8 +22,7 @@ ms.date: 12/31/2017
- Windows 10 Pro, Enterprise, and Education
> [!NOTE]
-> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
-> The use of multiple monitors isn't supported for multi-app kiosk mode.
+> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md
index fbf303f314..80c498eb6e 100644
--- a/windows/configuration/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md
@@ -18,7 +18,7 @@ ms.topic: how-to
- Windows 11 Pro, Enterprise, and Education
> [!NOTE]
-> The use of multiple monitors isn't supported for multi-app kiosk mode.
+> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11.
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk.
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index d7608bf6f1..1b895a16d3 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.date: 02/14/2023
+ms.date: 06/16/2023
---
# Deploy drivers and firmware updates with Windows Update for Business deployment service
@@ -123,7 +123,7 @@ To create a policy with additional settings, in the request body:
{
"@odata.type": "#microsoft.graph.windowsUpdates.updatePolicy",
"audience": {
- "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567"
+ "id": "d39ad1ce-0123-4567-89ab-cdef01234567"
},
"complianceChanges": [
{
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index eb4aec825a..dc875c8675 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -23,7 +23,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/
> [!TIP]
> - If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
-> - Intune provides compliance reports and they have their own prerequisites for use. The number of devices that appear in the Intune reports may also vary from the Windows Update for Business reports. For more information, see [Intune compliance reports for updates](/mem/intune/protect/windows-update-compliance-reports).
+> - Intune provides compliance reports and they have their own prerequisites for use. The number of devices that appear in the Intune reports may also vary from the Windows Update for Business reports. For more information, see [Intune compliance reports for updates](/mem/intune/protect/windows-update-reports).
## Create a configuration profile
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 3196b89771..c6bd179c95 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -46,7 +46,7 @@ To help you better understand the scan source policy, see the default scan behav
- If you configure only the WSUS server policy:
- On Windows 10: All of your updates will come from WSUS.
- - On Windows 11: All of your updates will still come from Windows Update unless you configure the specify scan source policy.
+ - On Windows 11: All of your updates will still come from WSUS unless you configure the specify scan source policy.
- If you configure a WSUS server and deferral policies: All of your updates will come from Windows Update unless you specify the scan source policy.
- If you configure a WSUS server and the scan source policy: All of your updates will come from the source chosen in the scan source policy.
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 6849160ab4..5c34ff5222 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -40,6 +40,10 @@ The table below provides support details for specific deployment scenarios. Boot
Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+> [!NOTE]
+>
+> [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) only supports deployment of Windows 10. It doesn't support deployment of Windows 11. For more information, see [Supported platforms](/mem/configmgr/mdt/release-notes#supported-platforms).
+
## Not affected
WDS PXE boot isn't affected by this change. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 4a3c6c4c86..5a5b518816 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -10,6 +10,8 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - tier2
---
# Add and verify admin contacts
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index b1f8d211c8..ef153dd2bf 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Device registration overview
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index c059889d51..d4c14da227 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Manage Windows Autopatch groups (public preview)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
index 730fc16ec4..15829f199b 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows Autopatch groups overview (public preview)
@@ -17,7 +20,7 @@ ms.reviewer: andredm7
> [!IMPORTANT]
> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
-As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups helps organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
+As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
## What are Windows Autopatch groups?
@@ -64,7 +67,7 @@ The Default Autopatch group uses Windows Autopatch’s default update management
The Default Autopatch group is intended to serve organizations that are looking to:
- Enroll into the service
-- Align to Windows Autopatch’s default update management process without requiring additional customizations.
+- Align to Windows Autopatch’s default update management process without requiring more customizations.
The Default Autopatch group **can’t** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it.
@@ -160,7 +163,7 @@ Autopatch groups creates two different layers. Each layer contains its own deplo
The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service.
-The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups cannot be deleted or renamed:
+The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
@@ -174,7 +177,7 @@ The following are the Azure AD assigned groups that represent the service-based
The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group.
-The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups cannot be deleted or renamed:
+The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
- Windows Autopatch - Test
- Windows Autopatch – Ring1
@@ -203,7 +206,7 @@ The following are three common uses for using Autopatch groups.
| Scenario | Solution |
| ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s pre-communicated to your end-users.
| If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is pre-configured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group pre-configured and fully managed by the Windows Autopatch service.
|
+| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s precommunicated to your end-users.
| If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is preconfigured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.
|
:::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png":::
@@ -211,7 +214,7 @@ The following are three common uses for using Autopatch groups.
| Scenario | Solution |
| ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units, for example, the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and subsequently for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
|
+| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
|
:::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png":::
@@ -245,7 +248,7 @@ Autopatch groups works with the following software update workloads:
### Maximum number of Autopatch groups
-Windows Autopatch will support up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings.
+Windows Autopatch supports up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings.
> [!TIP]
> If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index 076f04ca7b..eb2f5d26d5 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Post-device registration readiness checks (public preview)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 55ddc49938..3b79bc86cb 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Register your devices
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index 1792c44913..fa0d5b2cae 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -10,6 +10,8 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - tier2
---
# Deregister a device
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
index fe0551604d..edfc041070 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Device alerts (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index c45d4d9c97..03e04c49d8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Microsoft Edge
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
index 8323fdbc22..c472f2178a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Manage Windows feature update releases: Windows Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
index e6730c53fb..2e4435991e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Software update management: Windows Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
index c3b733b603..698bdc24c9 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows feature updates overview: Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
index fc177682b7..17cb7aa33c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Feature update status report (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
index 63c6483b4d..95c7c23f50 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows feature update summary dashboard (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
index d6c6955600..d7be7a1540 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Feature update trending report (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
index 8f10b41042..78da3612ba 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
@@ -10,9 +10,12 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
-# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview)
+# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview)
> [!IMPORTANT]
> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
index cd1653f964..de3076eac4 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update communications: Windows Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
index 25705531f4..b62341e010 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update end user experience: Windows Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 559e317784..49540bdcf0 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality updates: Windows Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
index 556a292eb3..db5749bf16 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update signals: Windows Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
index 4cd9aa18af..95503c7a43 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Quality update status report (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
index 31ca5e6fac..0b114fc081 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update summary dashboard (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index 935bb616af..263cf79726 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Quality update trending report (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
index 7d03bd8c1e..0158ab6b84 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: rekhanr
+ms.collection:
+ - highpri
+ - tier1
---
# Customize Windows Update settings: Autopatch groups experience (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 43d2a3e596..3fc4df2cbb 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Microsoft 365 Apps for enterprise
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
index 8e4b4794f4..6e004039fb 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: rekhanr
+ms.collection:
+ - highpri
+ - tier1
---
# Policy health and remediation (public preview)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 29e95ec21f..690e61a507 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Submit a support request
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
index b348eca592..5c0649bc8e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Microsoft Teams
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index 8a69ef3f78..1269f66d0f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Unenroll your tenant
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 3c850cf312..ab0e071954 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Software update management
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
index cdbcde747d..8d7c6c6f7f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Windows feature update end user experience
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 95b3391bd5..1ffb5c25f5 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows feature updates
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
index f48428da15..4ed33aeb7b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# All devices report—historical
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
index a89b5943b8..0b3850461e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# All devices report
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
index f715f1bba8..a78cbd870b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update communications
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
index f3d6012c50..e0b0cbe8a7 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Eligible devices report—historical
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
index 1a345f2942..ed6b572591 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update end user experience
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
index 330088a5e0..57d6dc58ab 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Ineligible devices report—historical
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index f12b686427..da8c85bcff 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality updates
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
index c3ea51727d..bf724acb41 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update reports
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
index bd21b2a994..7f42913f96 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Windows quality update signals
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
index 95dd437451..8d1587ce8e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
---
# Summary dashboard
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
index 50453deea1..e7272739f3 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: rekhanr
+ms.collection:
+ - highpri
+ - tier1
---
# Customize Windows Update settings (public preview)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index c515617ae7..64554cdd1f 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -11,7 +11,7 @@ ms.author: tiaraquan
manager: dougeby
ms.collection:
- highpri
- - tier2
+ - tier1
ms.reviewer: hathind
---
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index a04a060c4c..0ce2010fe7 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Privacy
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 3525a20488..e32bf9efd7 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Roles and responsibilities
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index e223d515a4..3813ee70ef 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -10,6 +10,8 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - tier2
---
# Configure your network
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 4ca771cece..afe28158bc 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Enroll your tenant
@@ -30,7 +33,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
> [!IMPORTANT]
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
-The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
**To access and run the Readiness assessment tool:**
@@ -64,13 +67,13 @@ The following are the Azure Active Directory settings:
### Check results
-For each check, the tool will report one of four possible results:
+For each check, the tool reports one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.You can complete enrollment, but you must fix these issues before you deploy your first device. |
-| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
+| Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
## Step 3: Fix issues with your tenant
@@ -86,11 +89,11 @@ Once the Readiness assessment tool provides you with a "Ready" result, you're re
**To enroll your tenant:**
-Within the Readiness assessment tool, you'll now see the **Enroll** button. By selecting **Enroll**, you'll kick off the enrollment of your tenant to the Windows Autopatch service. During the enrollment workflow, you'll see the following:
+Within the Readiness assessment tool, you can see the **Enroll** button. By selecting **Enroll**, you start the enrollment process of your tenant into the Windows Autopatch service. During the enrollment workflow, you see the following:
- Consent workflow to manage your tenant.
- Provide Windows Autopatch with IT admin contacts.
-- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service.
+- Setup of the Windows Autopatch service on your tenant. This step is where we create the policies, groups and accounts necessary to run the service.
Once these actions are complete, you've now successfully enrolled your tenant.
@@ -101,7 +104,7 @@ Once these actions are complete, you've now successfully enrolled your tenant.
You can choose to delete the data we collect directly within the Readiness assessment tool.
-Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form.
+Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a deidentified form.
> [!NOTE]
> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index c36d207090..6588ea5a13 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -10,6 +10,8 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - tier2
---
# Submit a tenant enrollment support request
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 413d997112..39f30591e9 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Fix issues found by the Readiness assessment tool
@@ -21,13 +24,13 @@ Seeing issues with your tenant? This article details how to remediate issues fou
## Check results
-For each check, the tool will report one of four possible results:
+For each check, the tool reports one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. |
-| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
+| Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
> [!NOTE]
@@ -43,7 +46,7 @@ Your "Update rings for Windows 10 or later" policy in Intune must not target any
| Result | Meaning |
| ----- | ----- |
-| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch will also create our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we'll exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.
|
+| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch creates our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.|
## Azure Active Directory settings
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 1808dd285c..90e7324a39 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Prerequisites
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index a1fd2c87e2..458dcd3ff1 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - highpri
+ - tier1
---
# Changes made at tenant enrollment
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
index 29795eceb9..ed57ff6eee 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
@@ -10,6 +10,9 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
+ms.collection:
+ - highpri
+ - tier1
---
# Windows Autopatch groups Public Preview Addendum
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
index e8e54695c8..79d1bbc912 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -10,13 +10,15 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: hathind
+ms.collection:
+ - tier2
---
# Microsoft 365 Apps for enterprise update policies
## Conflicting and unsupported policies
-Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
+Deploying any of the following policies to a managed device makes that device ineligible for management since the device prevents us from delivering the service as designed.
### Update policies
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index 01ddeb4f2e..9ece385c03 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -10,13 +10,15 @@ author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: adnich
+ms.collection:
+ - tier2
---
# Windows update policies
## Deployment rings for Windows 10 and later
-The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
+The following policies contain settings that apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace Update Policy [ring name] – [Windows Autopatch]**
@@ -44,7 +46,7 @@ The following policies contain settings which apply to both Windows quality and
| Deadline for Windows feature updates | 5 | 5 | 5 | 5 |
| Deadline for Windows quality updates | 0 | 2 | 2 | 5 |
| Grace period | 0 | 2 | 2 | 2 |
-| Auto-restart before deadline | Yes | Yes | Yes | Yes |
+| Auto restart before deadline | Yes | Yes | Yes | Yes |
### Windows 10 and later assignments
@@ -59,7 +61,7 @@ The service deploys policies using Microsoft Intune to control how Windows featu
### Windows feature updates for Windows 10 and later
-These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
+These policies control the minimum target version of Windows that a device is meant to accept. Throughout the rest of the article, these policies are referred to as DSS policies. After onboarding, there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace DSS Policy [ring name]**
@@ -79,7 +81,7 @@ These policies control the minimum target version of Windows which a device is m
#### Windows 11 testing
-To allow customers to test Windows 11 in their environment, there's a separate DSS policy which enables you to test Windows 11 before broadly adopting within your environment.
+To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment.
##### Windows 11 deployment setting
@@ -97,11 +99,11 @@ To allow customers to test Windows 11 in their environment, there's a separate D
## Conflicting and unsupported policies
-Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
+Deploying any of the following policies to a Windows Autopatch device makes that device ineligible for management since the device prevents us from delivering the service as designed.
### Update policies
-Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management.
+Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices are excluded from management.
| Allowed policy | Policy CSP | Description |
| ----- | ----- | ----- |
@@ -111,7 +113,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
### Group policy and other policy managers
-Group policy as well as other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management:
+Group policy and other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management:
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`
diff --git a/windows/security/breadcrumb/toc.yml b/windows/security/breadcrumb/toc.yml
deleted file mode 100644
index 19748bed13..0000000000
--- a/windows/security/breadcrumb/toc.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-items:
-- name: Docs
- tocHref: /
- topicHref: /
- items:
- - name: Windows
- tocHref: /windows/
- topicHref: /windows/resources/
- items:
- - name: Security
- tocHref: /windows-server/security/credentials-protection-and-management/
- topicHref: /windows/security/
- - name: Security
- tocHref: /windows-server/identity/laps/
- topicHref: /windows/security/
- - name: Security
- tocHref: /azure/active-directory/authentication/
- topicHref: /windows/security/
diff --git a/windows/security/context/context.yml b/windows/security/context/context.yml
deleted file mode 100644
index aa53a529eb..0000000000
--- a/windows/security/context/context.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-### YamlMime: ContextObject
-brand: windows
-breadcrumb_path: ../breadcrumb/toc.yml
-toc_rel: ../toc.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
index 1214df4042..252378807c 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@@ -143,6 +143,36 @@ In general, to maintain maximum security, admins should only push firewall excep
> [!NOTE]
> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s).
+## Understand Group Policy Processing
+
+The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
+
+When Windows Firewall checks the registry for any configuration changes, the *Windows Filtering Platform (WFP)* performs the following actions:
+
+- Reads all firewall rules and settings
+- Applies any new filters
+- Removes the old filters
+
+> [!NOTE]
+> The actions are triggered regardless if there's a configuration change. During the process, IPsec connections are disconnected.
+
+Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default.
+
+If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during every background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like:
+
+- Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies
+- Local Firewall settings are applied instead of group policy settings
+- IPsec connections cannot establish
+
+The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
+
+To avoid the issue, leave the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing` to the default value of *Not Configured* or, if already configured, configure it *Disabled*.
+
+> [!IMPORTANT]
+> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change.
+>
+> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
+
## Know how to use "shields up" mode for active attacks
An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
index 9bce0c01fd..0ed35d4d57 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
@@ -35,9 +35,14 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
1. Create a new base policy using the templates:
- Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The example below shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
+ Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
+
+ > [!NOTE]
+ > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates.
+ For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
+
2. Set the following rule-options using the Wizard toggles:
@@ -45,7 +50,7 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
3. Create custom rules:
- Selecting the `+ Custom Rules` button will open the Custom Rules panel. The Wizard supports five types of file rules:
+ Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
@@ -58,16 +63,16 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
4. Convert to AppId Tagging Policy:
- After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the usermode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
+ After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
- The policyID GUID will be returned by PowerShell if successful.
+ The policyID GUID is returned by the PowerShell command if successful.
## Create the policy using PowerShell
-Using this method, you'll create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
+Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
@@ -87,14 +92,14 @@ Using this method, you'll create an AppId Tagging policy directly using the WDAC
Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
```
- If you're using filepath rules, you'll likely want to set option 18. Otherwise, there's no need.
+ If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
4. Set the name and ID on the policy, which is helpful for future debugging:
```powershell
Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId"" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
```
- The policyID GUID will be returned by PowerShell if successful.
+ The policyID GUID is returned by the PowerShell command if successful.
## Deploy for Local Testing
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/known-issue-appid-dll-rule-xml.png b/windows/security/threat-protection/windows-defender-application-control/images/known-issue-appid-dll-rule-xml.png
new file mode 100644
index 0000000000..817c745bd8
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/known-issue-appid-dll-rule-xml.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/known-issue-appid-dll-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/known-issue-appid-dll-rule.png
new file mode 100644
index 0000000000..66a137086a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/known-issue-appid-dll-rule.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index e8331a7fcf..3b7f22c1df 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jgeurten
ms.author: vinpa
manager: aaroncz
-ms.date: 11/04/2022
+ms.date: 06/14/2023
ms.topic: reference
---
@@ -25,7 +25,7 @@ ms.topic: reference
Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
-Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including WDAC:
+Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. An attacker can use these applications or files to circumvent application allow policies, including WDAC:
- addinprocess.exe
- addinprocess32.exe
@@ -72,7 +72,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
-2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that isn't being used in a development context, we recommend that you block msbuild.exe.
+2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
* Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
@@ -99,9 +99,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
> [!NOTE]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
-Certain software applications may allow other code to run by design. Such applications should be blocked by your WDAC policy. In addition, when an application version is upgraded to fix a security vulnerability or potential WDAC bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
+Certain software applications may allow other code to run by design. Unless these applications are business critical, you should block them in your WDAC policy. In addition, when an application version is upgraded to fix a security vulnerability or potential WDAC bypass, add *deny* rules to your application control policies for that application’s previous, less secure versions.
-Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass WDAC. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass WDAC. These modules can be blocked by their corresponding hashes.
As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules.
@@ -111,14 +111,14 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny
- msxml6.dll
- jscript9.dll
-The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below.
+The blocklist policy that follows includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy that follows using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the blocklist policy.
**WDAC policy XML**:
```xml
- 10.1.0.0
+ 10.1.0.2
{A244370E-44C9-4C06-B551-F6016E563076}
{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
@@ -159,6 +159,14 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
+
+
+
+
+
+
+
+
@@ -1500,6 +1508,14 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
+
+
+
+
+
+
+
+
@@ -1507,6 +1523,18 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
0
+
+
+
+ Microsoft Windows Recommended User Mode BlockList
+
+
+
+
+ 10.1.0.2
+
+
+
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index a9c0d42e86..f6616e3bf0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -95,3 +95,19 @@ As a workaround, download the MSI file and run it locally:
```console
msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi
```
+### Slow boot and performance with custom policies
+
+WDAC will evaluate all running processes, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, it's strongly recommended to build off the [WDAC base templates](../example-wdac-base-policies.md).
+
+#### AppId Tagging policy considerations
+
+If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes).
+
+If you can't allowlist the Windows signers, or build off the WDAC base templates, it is strongly recommended to add the following rule to your policies to improve the performance:
+
+:::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
+
+:::image type="content" source="../images/known-issue-appid-dll-rule-xml.png" alt-text="Allow all dll files in the xml policy.":::
+
+
+Since AppId Tagging policies evaluate but can't tag dll files, this rule will short circuit dll evaluation and improve evaluation performance.
\ No newline at end of file