From 24120f589e9709b5fbd16ff37fc4d148f7297512 Mon Sep 17 00:00:00 2001
From: v-tappelgate <91994953+v-tappelgate@users.noreply.github.com>
Date: Wed, 25 May 2022 12:00:33 -0700
Subject: [PATCH 01/77] v-tappelgate-CI-163997
Metadata fix for [CI 163997](https://dev.azure.com/contentidea/ContentIdea/_workitems/edit/163997)
---
.../bitlocker/ts-bitlocker-network-unlock-issues.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
index df10782087..d10158fc36 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n
ms.technology: windows-sec
ms.prod: m365-security
ms.localizationpriority: medium
-author: Teresa-Motiv
+author: v-tappelgate
ms.author: v-tappelgate
manager: kaushika
ms.reviewer: kaushika
From c51041b06b7d7f0baee15f3c046519363747e5e7 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 25 May 2022 14:29:25 -0700
Subject: [PATCH 02/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 0771489578..b26beb9800 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -40,7 +40,7 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command.
+Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -56,9 +56,9 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
-The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done.
+The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
From 6b921fcebdd66d577717d10392f442e5de9abc69 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Tue, 31 May 2022 09:14:40 -0700
Subject: [PATCH 03/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index b26beb9800..9e7ad1053b 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -40,14 +40,14 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command.
+Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed.
+Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -56,14 +56,14 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From 65fd817caa8451859fb44fdf8a6e728a6666d5bb Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Tue, 31 May 2022 09:18:02 -0700
Subject: [PATCH 04/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 9e7ad1053b..b76855bf76 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
+The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
```
From 6159c3367bb3c5745dc3a6962daa0ca81f34fc85 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 6 Jun 2022 18:57:23 +0300
Subject: [PATCH 05/77] M365 Business Premium update path
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10407
---
windows/deployment/windows-10-subscription-activation.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 2b534e585f..42fc531050 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -30,6 +30,8 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
+If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business).
+
The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
See the following topics:
From be82ff62eac57144df9429d6bee8bc43bf5c305b Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Mon, 6 Jun 2022 10:32:03 -0700
Subject: [PATCH 06/77] Update remotewipe-csp.md
---
.../client-management/mdm/remotewipe-csp.md | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index b76855bf76..c00be2ffd3 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -34,20 +34,23 @@ RemoteWipe
----doWipePersistProvisionedData
----doWipeProtected
----doWipePersistUserData
+----doWipeCloud
+----doWipeCloudPersistUserData
+----doWipeCloudPersistProvisionedData
----AutomaticRedeployment
--------doAutomaticRedeployment
--------LastError
--------Status
```
**doWipe**
-Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried.
+Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started.
+Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -58,12 +61,21 @@ The information that was backed up will be restored and applied to the device wh
**doWipeProtected**
Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
-The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios.
+The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
+
+**DoWipeCloud**
+Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+
+**DoWipeCloudPersistUserData**
+Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+
+**DoWipeCloudPersistProvisionedData**
+Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From 5a0922f0aaddacf3b0abddbfb7822d9cf644326e Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Mon, 6 Jun 2022 10:36:14 -0700
Subject: [PATCH 07/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index c00be2ffd3..71cbd89d31 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -43,14 +43,14 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
+Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset.
+Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -66,7 +66,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**DoWipeCloud**
Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
From 4dd6d377b583e71ce35a3d0526fcab5d2d5e822a Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 7 Jun 2022 08:51:06 +0300
Subject: [PATCH 08/77] Update
windows/deployment/windows-10-subscription-activation.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/windows-10-subscription-activation.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 42fc531050..a9a1139765 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -30,7 +30,7 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
-If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business).
+If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business).
The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
From 31a2c426943eae7b1369558d564d8dfef0d824c9 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Wed, 8 Jun 2022 09:50:49 +0200
Subject: [PATCH 09/77] #10340
#10340 the feedback was about stressing that a step is not needed for Windows Server 2019. I discovered that this is already mentioned in the article, so I made that statement bold to make it stand out.
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 53a69d9ca8..35d754ebe4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -25,7 +25,9 @@ ms.reviewer:
- On-premises deployment
- Certificate trust
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+
+**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From fe0b1343e3c29d31b131c78396dd6c9584f67566 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Wed, 8 Jun 2022 10:11:58 +0200
Subject: [PATCH 10/77] #10356
#10356 I followed the discussion on the original post and I implemented these changes accordingly
---
.../hello-for-business/hello-cert-trust-policy-settings.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 18e5489911..dc18e09acc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
3. Right-click **Group Policy object** and select **New**.
4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration**.
+6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**.
@@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-4. In the navigation pane, expand **Policies** under **User Configuration**.
+4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
7. Select **Enabled** from the **Configuration Model** list.
From 14d52784f84f4299207d60613f2914945f51575a Mon Sep 17 00:00:00 2001
From: Florian Stosse
Date: Wed, 8 Jun 2022 17:05:19 +0200
Subject: [PATCH 11/77] Fix indentation in XML code block
---
.../microsoft-recommended-block-rules.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0fbd505f00..ddc280cfb4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
+
+
+ -->
From 8422c4ed7ae744192f99f7ccfb881260fedddc0e Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Wed, 8 Jun 2022 21:28:21 +0530
Subject: [PATCH 12/77] added curly brackets
as per user report #10583, I added curly brackets. but i could not able add the correct screenshot.
---
.../hello-for-business/passwordless-strategy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 8ca6538d48..74765dffac 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -251,7 +251,7 @@ You can use Group Policy to deploy an administrative template policy setting to
:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
-The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`.
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
From 76a1a78899f4f14af0caa4ad18efd3fb9fa2524e Mon Sep 17 00:00:00 2001
From: Mark Renoden
Date: Fri, 10 Jun 2022 11:10:50 +1000
Subject: [PATCH 13/77] Update hello-hybrid-cloud-trust.md
Adding a clarification for the 2016+ Domain Controller requirements.
---
.../hello-for-business/hello-hybrid-cloud-trust.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index a86fb2633a..cfc435c989 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -48,6 +48,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec
More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
+If using the hybrid cloud trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Read-Write Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+
## Prerequisites
| Requirement | Notes |
From 6519ec617ac73aa271cc60b156a0717497feed97 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 10 Jun 2022 11:22:24 +0500
Subject: [PATCH 14/77] Update
use-windows-defender-application-control-with-dynamic-code-security.md
---
...defender-application-control-with-dynamic-code-security.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index b1ace98992..ecf7941e63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -24,7 +24,7 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, or Windows 11, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
-When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources.
+When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources (any non-local sources, such as Internet or network share).
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries.
@@ -39,4 +39,4 @@ To enable Dynamic Code Security, add the following option to the `` secti
-```
\ No newline at end of file
+```
From 55e8d06d7f24e423d0b58077342beb178737c5fe Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 10 Jun 2022 11:58:59 +0500
Subject: [PATCH 15/77] Update system-failure-recovery-options.md
---
.../system-failure-recovery-options.md | 60 ++++++++++++++++++-
1 file changed, 59 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 777b9fa6ec..5ea73e75a2 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -184,6 +184,63 @@ To specify that you don't want to overwrite any previous kernel or complete memo
- Set the **Overwrite** DWORD value to **0**.
+#### Automatic Memory Dump
+
+The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
+
+If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
+
+To specify that you want to use a automatic memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugInfoType = 7
+ ```
+
+- Set the **CrashDumpEnabled** DWORD value to **7**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
+ ```
+
+- Set the **DumpFile** Expandable String Value to \.
+
+To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set OverwriteExistingDebugFile = 0
+ ```
+
+- Set the **Overwrite** DWORD value to **0**.
+
+#### Active Memory Dump
+
+An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump.
+
+This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
+
+To specify that you want to use an active memory dump file, modify the registry value:
+
+- Set the **CrashDumpEnabled** DWORD value to **1**.
+- Set the **FilterPages** DWORD value to **1**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
+ ```
+
+- Set the DumpFile Expandable String Value to \.
+
+To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set OverwriteExistingDebugFile = 0
+ ```
+
+- Set the **Overwrite** DWORD value to **0**.
+
>[!Note]
>If you contact Microsoft Support about a Stop error, you might be asked for the memory dump file that is generated by the Write Debugging Information option.
@@ -192,6 +249,7 @@ To view system failure and recovery settings for your local computer, type **wmi
>[!Note]
>To successfully use these Wmic.exe command line examples, you must be logged on by using a user account that has administrative rights on the computer. If you are not logged on by using a user account that has administrative rights on the computer, use the **/user:user_name** and **/password:password** switches.
+
### Tips
- To take advantage of the dump file feature, your paging file must be on the boot volume. If you've moved the paging file to another volume, you must move it back to the boot volume before you use this feature.
@@ -202,4 +260,4 @@ To view system failure and recovery settings for your local computer, type **wmi
## References
-[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
\ No newline at end of file
+[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
From 6208eafa2a95d677e4dc4786e0f323cda7e73ca3 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 10 Jun 2022 13:23:58 +0500
Subject: [PATCH 16/77] Update hello-feature-dynamic-lock.md
---
.../hello-for-business/hello-feature-dynamic-lock.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 7025fb4173..6f5edfb03b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -25,6 +25,9 @@ ms.reviewer:
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+>[!IMPORTANT]
+>The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it.
+
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
From a16337c48f4ef972dc3b6c937b503f685b879688 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:13 +0500
Subject: [PATCH 17/77] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 5ea73e75a2..8758e25c63 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -186,7 +186,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo
#### Automatic Memory Dump
-The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
+This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
From f796ba6826e724296c97c01156087fa500963e5b Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:23 +0500
Subject: [PATCH 18/77] Update
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-feature-dynamic-lock.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 6f5edfb03b..cd2812800e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -25,8 +25,8 @@ ms.reviewer:
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
->[!IMPORTANT]
->The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it.
+> [!IMPORTANT]
+> The feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system is not idle (for example, the intruder got access **before** the Bluetooth signal falls below the limit), it will not be locked. Therefore, the dynamic lock feature is an additional barrier, it does not replace the need to lock the computer by the user, it only reduces the probability of someone gaining access if the user forgets to lock it.
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
From 165ca3756c3e03ed6f75fd8a60654ad8a9d364a5 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:28 +0500
Subject: [PATCH 19/77] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 8758e25c63..a69c702060 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -216,7 +216,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo
#### Active Memory Dump
-An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump.
+An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump.
This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
From feabf31b3a21c580174a37b7f3c1e9d4900a7a17 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:32 +0500
Subject: [PATCH 20/77] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index a69c702060..3f77ed5794 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -190,7 +190,7 @@ This is the default option. An Automatic Memory Dump contains the same informati
If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
-To specify that you want to use a automatic memory dump file, run the following command or modify the registry value:
+To specify that you want to use an automatic memory dump file, run the following command or modify the registry value:
- ```cmd
wmic recoveros set DebugInfoType = 7
From 670514fa1b5c2eb7750148d930f5284f6818408f Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:38 +0500
Subject: [PATCH 21/77] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 3f77ed5794..b1cbad90d2 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -218,7 +218,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo
An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump.
-This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
+This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
To specify that you want to use an active memory dump file, modify the registry value:
From 18551c254f1571b2333af303c2a5d86ea8712114 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Sun, 12 Jun 2022 15:25:10 +0200
Subject: [PATCH 22/77] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-policy-settings.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index dc18e09acc..8c6cd85e3c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
3. Right-click **Group Policy object** and select **New**.
4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
+6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**.
From 66e81da09ddfc8d17f485cdaf3672a1a4afedae7 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Sun, 12 Jun 2022 15:25:18 +0200
Subject: [PATCH 23/77] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-policy-settings.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 8c6cd85e3c..8e344e9b31 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
+4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
7. Select **Enabled** from the **Configuration Model** list.
From 19119c4179ba728216eb1cd7508f5db8d0fc6095 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:05:52 +0200
Subject: [PATCH 24/77] #10364
#10364
---
.../applocker/script-rules-in-applocker.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 48095da0ce..0daa8696c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -29,6 +29,7 @@ ms.technology: windows-sec
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+
This topic describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
@@ -46,6 +47,9 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+>[!NOTE]
+>Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+
## Related topics
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
From b54238312d20f7a29714179d9536fe1bfabd07dc Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:24:06 +0200
Subject: [PATCH 25/77] #10384
#10384
---
...ty-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index f53a1e1665..a4973e313a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -25,6 +25,9 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
+
+>[!NOTE]
+>To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md)
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
From 8c08b60f3ed7a16b4f5dfe6ee98e193671a3a74a Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:26:06 +0200
Subject: [PATCH 26/77] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 35d754ebe4..22b2eb2e66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -25,7 +25,7 @@ ms.reviewer:
- On-premises deployment
- Certificate trust
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
From 1b41f5d390694de82096210c25d07d97d39af19b Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:26:53 +0200
Subject: [PATCH 27/77] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 22b2eb2e66..e1bb8e2f6e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -27,7 +27,8 @@ ms.reviewer:
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
-**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
+> [!NOTE]
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.**
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From cb967191c257d57de2b1145cf2c732f4f72443af Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Wed, 15 Jun 2022 18:40:23 +0200
Subject: [PATCH 28/77] Set Policy Driven Update path's are wrong
All Updates SetPolicyDrivenUpdateSource path's are wrong - there needs an "Updates" added to the settings name.
Verified under 21H2 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update
---
.../mdm/policy-csp-update.md | 34 +++++++++----------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 4c9d94d790..b06a5e7de2 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3478,7 +3478,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriver**
+**Update/SetPolicyDrivenUpdateSourceForDriverUpdates**
The table below shows the applicability of Windows:
@@ -3508,9 +3508,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3536,7 +3536,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeature**
+**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -3566,9 +3566,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3594,7 +3594,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOther**
+**Update/SetPolicyDrivenUpdateSourceForOtherUpdates**
The table below shows the applicability of Windows:
@@ -3624,9 +3624,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3652,7 +3652,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQuality**
+**Update/SetPolicyDrivenUpdateSourceForQualityUpdates**
The table below shows the applicability of Windows:
@@ -3682,9 +3682,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -4013,4 +4013,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
From 066609bfd10c47e1cc23c0e9f68e708138f09925 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 11:30:26 -0700
Subject: [PATCH 29/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 71cbd89d31..2888082127 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -43,14 +43,14 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
+Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to a the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
+Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -59,7 +59,7 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful.
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
@@ -69,13 +69,13 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**DoWipeCloud**
-Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistUserData**
-Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistProvisionedData**
-Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From fb363499e1141883d3695d30d55cc6d95138d517 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 11:35:26 -0700
Subject: [PATCH 30/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 2888082127..0640cf4d61 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -69,12 +69,15 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**DoWipeCloud**
+
Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistUserData**
+
Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistProvisionedData**
+
Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**AutomaticRedeployment**
From 56572199ae847849f2b70e054d13a6731e205359 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 12:14:07 -0700
Subject: [PATCH 31/77] spaces
---
windows/client-management/mdm/remotewipe-csp.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 0640cf4d61..9b8ae699d8 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -27,6 +27,7 @@ The table below shows the applicability of Windows:
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
+
```
./Vendor/MSFT
RemoteWipe
@@ -42,6 +43,7 @@ RemoteWipe
--------LastError
--------Status
```
+
**doWipe**
Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to a the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
From 474bde92dcfbcb73e1f87e5c2c70dc8be1db16d6 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 12:17:18 -0700
Subject: [PATCH 32/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 9b8ae699d8..88c970beb9 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -70,18 +70,6 @@ Supported operation is Exec.
**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
-**DoWipeCloud**
-
-Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
-
-**DoWipeCloudPersistUserData**
-
-Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
-
-**DoWipeCloudPersistProvisionedData**
-
-Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
-
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From fd097900698f34d59451aea4f3633088cbc32678 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 14:02:47 -0700
Subject: [PATCH 33/77] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 88c970beb9..4eb9ed7a1d 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -35,9 +35,6 @@ RemoteWipe
----doWipePersistProvisionedData
----doWipeProtected
----doWipePersistUserData
-----doWipeCloud
-----doWipeCloudPersistUserData
-----doWipeCloudPersistProvisionedData
----AutomaticRedeployment
--------doAutomaticRedeployment
--------LastError
From c20c99a86a0e3ee86a6b3ffff72c6b75593e2ff0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:27:05 -0700
Subject: [PATCH 34/77] Update policy-csp-update.md
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index b06a5e7de2..cce978a298 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 03/18/2022
+ms.date: 06/15/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
From 6d075ad8eb48607df0038b9de7a12fc20bd3f4f7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:33:16 -0700
Subject: [PATCH 35/77] Update
network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
---
...estrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index a4973e313a..9453c4b573 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,8 +26,9 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
->[!NOTE]
->To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md)
+> [!NOTE]
+> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access)
+
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
From 1c082992e615bdf995feec9306d0086ef644dbd9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:36:26 -0700
Subject: [PATCH 36/77] Update script-rules-in-applocker.md
---
.../applocker/script-rules-in-applocker.md | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 0daa8696c8..a39cc39fd3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,30 +26,30 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic describes the file formats and available default rules for the script rule collection.
+This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
-- .ps1
-- .bat
-- .cmd
-- .vbs
-- .js
+- `.ps1`
+- `.bat`
+- `.cmd`
+- `.vbs`
+- `.js`
The following table lists the default rules that are available for the script rule collection.
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
-| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
-| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
-| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` |
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
->[!NOTE]
->Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+> [!NOTE]
+> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
-## Related topics
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
From dffa3bc0c690f37e84768882928ceb21819a00f1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:37:23 -0700
Subject: [PATCH 37/77] Update script-rules-in-applocker.md
---
.../applocker/script-rules-in-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index a39cc39fd3..14bf0eec35 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
From a317f8cb080e88fd35fa7daccf51ca6eaa9cff7b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:40:56 -0700
Subject: [PATCH 38/77] Update
use-windows-defender-application-control-with-dynamic-code-security.md
---
...s-defender-application-control-with-dynamic-code-security.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 6b32d76c52..3720558b80 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/23/2021
+ms.date: 06/15/2022
ms.technology: windows-sec
---
From 46e8636041b5f7d37ba9f0a16d005fdb1ba0b836 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 16 Jun 2022 05:58:39 +0500
Subject: [PATCH 39/77] Update policy-csp-newsandinterests.md
---
.../mdm/policy-csp-newsandinterests.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 5d8350eed5..6eb42f6671 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -34,11 +34,11 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
-|Pro|Yes|Yes|
+|Pro|No|Yes|
|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
@@ -83,4 +83,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
From f622faf1f8130332b2c5da457dd5b01295398c7d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 16 Jun 2022 06:49:21 +0500
Subject: [PATCH 40/77] Update interactive-logon-do-not-require-ctrl-alt-del.md
---
.../interactive-logon-do-not-require-ctrl-alt-del.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 4131998946..867bda657e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,6 +36,9 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
+>[!NOTE]
+>When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well.
+
### Possible values
- Enabled
From 309b18cc5b7ede21c2f6e2fe776d4832ff50d6eb Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 09:58:39 +0500
Subject: [PATCH 41/77] Update edit-an-applocker-policy.md
---
.../applocker/edit-an-applocker-policy.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 811e3ab499..7c697728f5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,9 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
+If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node.
+For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
## Editing an AppLocker policy by using Group Policy
From 50e6636ce877b0d0c658c71a17ef2bfc274718bf Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 14:59:30 +0500
Subject: [PATCH 42/77] Update kernel-dma-protection-for-thunderbolt.md
---
.../kernel-dma-protection-for-thunderbolt.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 1d0b0ea803..400250bf8d 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -92,7 +92,10 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Reboot system into Windows.
>[!NOTE]
- > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+
+ >[!NOTE]
+ > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
From 4bc96cd544f814598bb6dc2ab7fae500c5e29691 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 15:01:19 +0500
Subject: [PATCH 43/77] Update
windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../interactive-logon-do-not-require-ctrl-alt-del.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 867bda657e..028bd47b3f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,8 +36,8 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
->[!NOTE]
->When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well.
+> [!NOTE]
+> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well.
### Possible values
From feb179fa52f5a26b848e00cf31c29dd10bd6b16d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 15:02:30 +0500
Subject: [PATCH 44/77] Update
windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/edit-an-applocker-policy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 7c697728f5..b96a2525dd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,7 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
-If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node.
+If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node.
For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
From a710084b28d6ff1b8c2d7960c9a91a51d23dda59 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:30:14 +0500
Subject: [PATCH 45/77] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 400250bf8d..6a487163f9 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -92,7 +92,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Reboot system into Windows.
>[!NOTE]
- > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
>[!NOTE]
> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
From 744379863d5164ea3c894ca9f43f2815116cac9a Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:30:26 +0500
Subject: [PATCH 46/77] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 6a487163f9..80250e13f2 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -94,7 +94,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
>[!NOTE]
> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
- >[!NOTE]
+ > [!NOTE]
> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
From e3b3a40d6ff1b08902a20f607297e2fb642c1080 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:31:32 +0500
Subject: [PATCH 47/77] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 80250e13f2..4460e09f34 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -91,7 +91,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows.
- >[!NOTE]
+ > [!NOTE]
> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
> [!NOTE]
From c92a5e0e6927081ff6c4f963d4beee47521bb90a Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:34 +0200
Subject: [PATCH 48/77] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cce978a298..77f35e5754 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3687,7 +3687,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 845f03172dc8cfbb78731eff710342ad47f9b818 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:42 +0200
Subject: [PATCH 49/77] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 77f35e5754..2ab0e8e657 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3571,7 +3571,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 3d016d5abd51705d4912cb852840328a6c84c8b5 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:50 +0200
Subject: [PATCH 50/77] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 2ab0e8e657..04dd37b084 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3629,7 +3629,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From aca0ce5659c2e9eb95dfd090261b1062c6fe0ab1 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:57 +0200
Subject: [PATCH 51/77] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 04dd37b084..69a315b2b4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3513,7 +3513,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 5a171c035ff28ce31c70fd203886eeaa7dc5badb Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:10:35 +0200
Subject: [PATCH 52/77] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index e1bb8e2f6e..9174af8148 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -28,7 +28,7 @@ ms.reviewer:
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
-> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.**
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From eea3f1f959aebf019324d8c95d4975c8a4c6b5e3 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:13:34 +0200
Subject: [PATCH 53/77] Update
windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/script-rules-in-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 14bf0eec35..aee609a7fd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
+> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
From 7ba112e7445142bc6fd2b9e2a8023fbb7259c94b Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:14:03 +0200
Subject: [PATCH 54/77] Update
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...ity-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 9453c4b573..f4c0cda9aa 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management aspects, and security
> [!NOTE]
-> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access)
+> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access).
## Reference
From 6038a000bc6cfb60a7988094e9048adc19c637a8 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Thu, 23 Jun 2022 15:06:05 -0400
Subject: [PATCH 55/77] Initial commit of MEMCM doc supplement work
---
.../deploy-appid-tagging-policies.md | 2 +-
.../TOC.yml | 4 +-
.../create-wdac-deny-policy.md | 2 +-
.../deploy-wdac-policies-with-memcm.md | 51 ++++++++++++++++++
...ion-control-policies-using-group-policy.md | 0
...plication-control-policies-using-intune.md | 0
.../feature-availability.md | 2 +-
.../images/memcm/memcm-confirm-wdac-rule.jpg | Bin 0 -> 52909 bytes
.../memcm/memcm-create-wdac-policy-2.jpg | Bin 0 -> 155649 bytes
.../images/memcm/memcm-create-wdac-policy.jpg | Bin 0 -> 152383 bytes
.../images/memcm/memcm-create-wdac-rule-2.jpg | Bin 0 -> 276511 bytes
.../images/memcm/memcm-create-wdac-rule-3.jpg | Bin 0 -> 121563 bytes
.../images/memcm/memcm-create-wdac-rule.jpg | Bin 0 -> 62257 bytes
.../images/memcm/memcm-deploy-wdac-2.jpg | Bin 0 -> 43638 bytes
.../images/memcm/memcm-deploy-wdac-3.jpg | Bin 0 -> 45121 bytes
.../images/memcm/memcm-deploy-wdac-4.jpg | Bin 0 -> 42437 bytes
.../images/memcm/memcm-deploy-wdac.jpg | Bin 0 -> 116300 bytes
.../index.yml | 4 +-
.../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf | Bin 0 -> 2629620 bytes
...r-application-control-against-tampering.md | 2 +-
...er-application-control-deployment-guide.md | 4 +-
21 files changed, 61 insertions(+), 10 deletions(-)
rename windows/security/threat-protection/windows-defender-application-control/{ => deployment}/deploy-windows-defender-application-control-policies-using-group-policy.md (100%)
rename windows/security/threat-protection/windows-defender-application-control/{ => deployment}/deploy-windows-defender-application-control-policies-using-intune.md (100%)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index a8ac5aafd1..f7cb9dee92 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -38,7 +38,7 @@ Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be
## Deploy AppId Tagging Policies with MDM
-Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId Tagging Policies with MEMCM
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 2f007e159d..5d7d191d40 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -73,13 +73,13 @@
href: windows-defender-application-control-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
- href: deploy-windows-defender-application-control-policies-using-intune.md
+ href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with MEMCM
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with Group Policy
- href: deploy-windows-defender-application-control-policies-using-group-policy.md
+ href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md
- name: Merge WDAC policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index 3203610df6..e4b820e7ed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -159,4 +159,4 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
-4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
+4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 1ac9e541d2..b9f7dfe7c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -41,8 +41,59 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+### Create a WDAC Policy in MEMCM
+
+1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
+
+
+
+2. Enter the name of the policy > **Next**
+3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
+4. Select the mode which you want the policy to run (Enforcement enabled / Audit Only)
+5. Click **Next**
+
+
+
+6. Click **Add** to begin creating rules for trusted software
+
+
+
+7. Select **File** or **Folder** to create a path rule > **Browse**
+
+
+
+8. Select the executable or folder for your path rule > **OK**
+
+
+
+9. Select **OK** to add the rule to the table of trusted files or folder
+10. Select **Next** to navigate to the summary page > **Close**
+
+
+
+### Deploy the WDAC Policy in MEMCM
+
+1. Right-click the newly created policy > **Deploy Application Control Policy**
+
+
+
+2. Select **Browse**
+
+
+
+3. Select the Device Collection you created earlier > **OK**
+
+
+
+4. Change the schedule > **OK**
+
+
+
+
For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
+The entire WDAC in MEMCM Lab Paper is available for download [here](../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf).
+
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 5b024e8790..081fd263a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -34,7 +34,7 @@ ms.technology: windows-sec
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds. For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices. Policies deployed through MDM are effective on all SKUs. |
-| Management solutions |
[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)