Merge branch 'main' into vp-fresh-tpm

.openpublishing.redirection.windows-security.json

@@ -7484,6 +7484,481 @@
       "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
       "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721530(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725978(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770729(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731463(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771822(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753825(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725818(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732933(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753367(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770426(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732202(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771233(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731164(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770565(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754085(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731123(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770836(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731908(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731788(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731447(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721532(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730835(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771044(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771733(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732752(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725693(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771664(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732615(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754986(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771716(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947826(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730841(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732486(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721528(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732413(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770289(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947845(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947794(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947848(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947836(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947800(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947783(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947791(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947799(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947827(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947819(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717261(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717238(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717284(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717277(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732023(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717256(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772556(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770865(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753064(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725659(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731951(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717241(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732024(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717262(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717263(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717260(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717237(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717279(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717293(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717253(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717249(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717270(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717275(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717278(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717245(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717246(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717247(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717274(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717243(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717283(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717281(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717259(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717292(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717264(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717265(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717290(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717269(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717266(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717254(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717267(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717251(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717273(v=ws.11)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731454(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770899(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771366(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc726039(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771791(v=ws.10)",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753540(v=ws.10)",
+      "redirect_document_id": false
     }
   ]
-}
+}

browsers/edge/microsoft-edge.yml

@@ -40,14 +40,6 @@ landingContent:
           - text: Evaluate the impact
             url: ./microsoft-edge-forrester.md
 
-  # Card (optional)
-  - title: Test your site on Microsoft Edge
-    linkLists:
-      - linkListType: overview
-        links:
-          - text: Test your site on Microsoft Edge for free on BrowserStack
-            url: https://developer.microsoft.com/microsoft-edge/tools/remote/
-  
   # Card (optional)
   - title: Improve compatibility with Enterprise Mode
     linkLists:

education/includes/education-content-updates.md

@@ -2,20 +2,13 @@
 
 
 
-## Week of September 11, 2023
+## Week of November 06, 2023
 
 
 | Published On |Topic title | Change |
 |------|------------|--------|
-| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
-| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
-
-
-## Week of September 04, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
-| 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified |
-| 9/5/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 11/7/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
+| 11/9/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
+| 11/9/2023 | What's new in the Windows Set up School PCs app | removed |
+| 11/9/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
+| 11/9/2023 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified |

education/windows/autopilot-reset.md

@@ -5,10 +5,6 @@ ms.date: 08/10/2022
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-ms.collection:
-  - highpri
-  - tier2
-  - education
 ---
 
 # Reset devices with Autopilot Reset
@@ -60,7 +56,7 @@ You can set the policy using one of these methods:
 ## Trigger Autopilot Reset
 
 Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
-]
+
 To trigger Autopilot Reset:
 
 1. From the Windows device lock screen, enter the keystroke: <kbd>CTRL</kbd> + <kbd>WIN</kbd> + <kbd>R</kbd>.

education/windows/index.yml

@@ -10,7 +10,6 @@ metadata:
   ms.technology: itpro-edu
   ms.collection:
     - education
-    - highpri
     - tier1
   author: paolomatarazzo
   ms.author: paoloma

education/windows/windows-11-se-overview.md

@@ -6,7 +6,6 @@ ms.date: 11/02/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:
-  - highpri
   - education
   - tier1
 ---

includes/configure/gpo-settings-1.md

@@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
 
-To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings:
+To configure a device using group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) or [edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730903(v=ws.10)) a group policy object (GPO) and use the following settings:

includes/configure/gpo-settings-2.md

@@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
 
-The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups.
+Group policies can be [linked](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732979(v=ws.10)) to domains or organizational units, [filtered using security groups](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc752992(v=ws.10)), or [filtered using WMI filters](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)).

includes/configure/registry.md

@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/15/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+To configure devices using the [Registry Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc755256(v=ws.11)), use the following settings:

windows/application-management/index.yml

@@ -14,7 +14,6 @@ metadata:
   ms.prod: windows-client
   ms.collection:
     - tier1
-    - highpri
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
 

windows/client-management/manage-windows-copilot.md

@@ -1,31 +1,200 @@
 ---
 title: Manage Copilot in Windows
-description: Learn how to manage Copilot in Windows using MDM and group policy.
+description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
 ms.topic: article
-ms.date: 10/16/2023
+ms.technology: itpro-windows-copilot
+ms.date: 11/06/2023
+ms.author: mstewart
+author: mestew 
 appliesto:
-- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
 ---
 
 # Manage Copilot in Windows
+<!--8445848-->
+>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
 
-Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications.
+Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider.
 
-This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
+> [!Note]
+> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
+> - Copilot in Windows is being released in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time.
 
-## Turn off Copilot in Windows
+## Configure Copilot in Windows for commercial environments
 
-This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
+At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:
 
-|                  | Setting                                                                                                 |
-|------------------|---------------------------------------------------------------------------------------------------------|
-| **CSP**          | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
+1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows)
+1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows
+1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled
+1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider
+
+Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.
+
+| &nbsp; | Setting  |
+|---|---|
+| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
 | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
 
 
+## Chat provider platforms for Copilot in Windows
 
-## Related articles
+Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections.
 
-- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0)
+**Bing Chat**: 
 
-- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a)
+[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat:
+   - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
+   - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
+
+
+**Bing Chat Enterprise**:
+
+[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise:
+
+- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections).
+- Bing Chat Enterprise is available, at no additional cost, for the following licenses:
+   - Microsoft 365 E3 or E5
+   - Microsoft 365 A3 or A5 for faculty
+   - Microsoft 365 Business Standard
+   - Microsoft 365 Business Premium
+
+  > [!Note]
+  > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files.
+
+## Configure the chat provider platform that Copilot in Windows uses
+
+Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.
+
+### Bing Chat as the chat provider platform
+
+Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:
+
+- Bing Chat Enterprise isn't configured for the user
+- The user isn't assigned a license that includes Bing Chat Enterprise
+- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage)
+- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise
+
+### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments)
+
+To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:
+
+1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/).
+1. In the admin center, select  **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses:
+   - Microsoft 365 E3 or E5
+   - Microsoft 365 A3 or A5 for faculty
+     - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage).
+   - Microsoft 365 Business Standard
+   - Microsoft 365 Business Premium
+1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 
+1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
+1. Verify that **Bing Chat Enterprise** is enabled for the user.
+1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a  license that includes Bing Chat Enterprise, and verify that it's listed as **On**.
+
+   > [!Note]
+   > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users.
+
+The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled:
+
+```powershell
+# Install Microsoft Graph module
+if (-not (Get-Module Microsoft.Graph.Users)) {
+    Install-Module Microsoft.Graph.Users
+}
+
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes 'User.Read.All'
+
+# Get all users
+$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans
+
+# Users with Bing Chat Enterprise enabled
+$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table
+
+# Users without Bing Chat Enterprise enabled
+$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table
+```
+
+When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows:
+
+:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png":::
+
+## Ensure the Copilot in Windows user experience is enabled
+
+Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version. 
+
+### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients
+
+Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:
+
+1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section.
+1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
+   - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
+
+    - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
+       - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
+     > [!Important]
+     > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies:
+   - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features**
+   - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates)
+      - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category.
+ 
+   The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs:
+    - Automatically receive optional updates (including CFRs)
+      - This selection places devices into an early CFR phase
+    - Users can select which optional updates to receive
+
+1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.
+
+### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients
+
+Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices.
+
+While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:
+- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses)
+- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider)
+
+Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:
+
+- **CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot)
+- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**
+
+## Other settings that might affect Copilot in Windows and its underlying chat provider
+
+Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:
+
+### Bing settings
+
+- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge:
+   - mapping `www.bing.com` to `strict.bing.com`
+   - mapping `edgeservices.bing.com` to `strict.bing.com`
+   - blocking `bing.com`
+
+- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it:
+
+    |Key |Value |
+    |:---------|:------------|
+    |com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface </br> **false** hides the interface |
+
+### Microsoft Edge policies
+
+- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed.
+- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.
+
+### Search settings
+
+- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience.
+- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences.
+
+### Account settings
+
+- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge.
+- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication.
+
+## Microsoft's commitment to responsible AI
+
+Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai).

windows/client-management/mdm/index.yml

@@ -10,7 +10,6 @@ metadata:
   ms.technology: itpro-manage
   ms.prod: windows-client
   ms.collection:
-    - highpri
     - tier1
   author: vinaypamnani-msft
   ms.author: vinpa

windows/client-management/mdm/update-csp.md

@@ -8,7 +8,7 @@ ms.topic: reference
 ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.date: 02/23/2018
+ms.date: 11/16/2023
 ---
 
 # Update CSP
@@ -40,7 +40,7 @@ The following example shows the Update configuration service provider in tree fo
 ----FailedUpdates
 --------Failed Update Guid
 ------------HResult
-------------Status
+------------State
 ------------RevisionNumber
 ----InstalledUpdates
 --------Installed Update Guid
@@ -63,136 +63,152 @@ The following example shows the Update configuration service provider in tree fo
 ```
 
 <a href="" id="update"></a>**./Vendor/MSFT/Update**
-<p>The root node.
+The root node.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="approvedupdates"></a>**ApprovedUpdates**
-<p>Node for update approvals and EULA acceptance on behalf of the end-user.
+Node for update approvals and EULA acceptance on behalf of the end-user.
 
 > [!NOTE]
 > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
 
-<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
+The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
 
-<p>The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
+The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
 
 > [!NOTE]
 > For the Windows 10 build, the client may need to reboot after additional updates are added.
 
-<p>Supported operations are Get and Add.
+Supported operations are Get and Add.
 
 <a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/_Approved Update Guid_**
-<p>Specifies the update GUID.
+Specifies the update GUID.
 
-<p>To auto-approve a class of updates, you can specify the <a href="/previous-versions/windows/desktop/ff357803(v=vs.85)" data-raw-source="[Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85))">Update Classifications</a> GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
+To auto-approve a class of updates, you can specify the <a href="/previous-versions/windows/desktop/ff357803(v=vs.85)" data-raw-source="[Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85))">Update Classifications</a> GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
 
-<p>Supported operations are Get and Add.
+Supported operations are Get and Add.
 
-<p>Sample syncml:
+Sample syncml:
 
 ```
 <LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
 ```
 
 <a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
-<p>Specifies the time the update gets approved.
+Specifies the time the update gets approved.
 
-<p>Supported operations are Get and Add.
+Supported operations are Get and Add.
 
 <a href="" id="failedupdates"></a>**FailedUpdates**
-<p>Specifies the approved updates that failed to install on a device.
+Specifies the approved updates that failed to install on a device.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/_Failed Update Guid_**
-<p>Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
+Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
-<p>The update failure error code.
+The update failure error code.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
-<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
-<p>Specifies the failed update status (for example, download, install).
+<a href="" id="failedupdates-failed-update-guid-state"></a>**FailedUpdates/*Failed Update Guid*/State**
+Specifies the failed update state.
 
-<p>Supported operation is Get.
+| Update Status              | Integer Value |
+| -------------------------- | ------------- |
+| UpdateStatusNewUpdate      | 1             |
+| UpdateStatusReadyToDownload| 2             |
+| UpdateStatusDownloading    | 4             |
+| UpdateStatusDownloadBlocked| 8             |
+| UpdateStatusDownloadFailed | 16            |
+| UpdateStatusReadyToInstall | 32            |
+| UpdateStatusInstalling     | 64            |
+| UpdateStatusInstallBlocked | 128           |
+| UpdateStatusInstallFailed  | 256           |
+| UpdateStatusRebootRequired | 512           |
+| UpdateStatusUpdateCompleted| 1024          |
+| UpdateStatusCommitFailed   | 2048          |
+| UpdateStatusPostReboot     | 4096          |
+
+Supported operation is Get.
 
 <a href="" id="failedupdates-failed-update-guid-revisionnumber"></a>**FailedUpdates/*Failed Update Guid*/RevisionNumber**
-<p>Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installedupdates"></a>**InstalledUpdates**
-<p>The updates that are installed on the device.
+The updates that are installed on the device.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/_Installed Update Guid_**
-<p>UpdateIDs that represent the updates installed on a device.
+UpdateIDs that represent the updates installed on a device.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installedupdates-installed-update-guid-revisionnumber"></a>**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
-<p>Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installableupdates"></a>**InstallableUpdates**
-<p>The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
+The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/_Installable Update Guid_**
-<p>Update identifiers that represent the updates applicable and not installed on a device.
+Update identifiers that represent the updates applicable and not installed on a device.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
-<p>The UpdateClassification value of the update. Valid values are:
+The UpdateClassification value of the update. Valid values are:
 
 - 0 - None
 - 1 - Security
 - 2 - Critical
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
-<p>The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+The revision number for the update that must be passed in server to server sync to get the metadata for the update.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
-<p>The updates that require a reboot to complete the update session.
+The updates that require a reboot to complete the update session.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/_Pending Reboot Update Guid_**
-<p>Update identifiers for the pending reboot state.
+Update identifiers for the pending reboot state.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
-<p>The time the update is installed.
+The time the update is installed.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="pendingrebootupdates-pending-reboot-update-guid-revisionnumber"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
-<p>Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
-<p>The last successful scan time.
+The last successful scan time.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="deferupgrade"></a>**DeferUpgrade**
-<p>Upgrades deferred until the next period.
+Upgrades deferred until the next period.
 
-<p>Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="rollback"></a>**Rollback**
 Added in Windows 10, version 1803. Node for the rollback operations.

windows/configuration/configure-windows-10-taskbar.md

@@ -1,18 +1,10 @@
 ---
 title: Configure Windows 10 taskbar
 description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
-ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: how-to
-ms.localizationpriority: medium
 ms.date: 08/18/2023
-ms.reviewer: 
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ---
 
 # Configure Windows 10 taskbar

windows/configuration/customize-and-export-start-layout.md

@@ -10,7 +10,6 @@ ms.topic: how-to
 ms.localizationpriority: medium
 ms.date: 08/18/2023
 ms.collection:
- - highpri
  - tier1
 ms.technology: itpro-configure
 ---

windows/configuration/customize-start-menu-layout-windows-11.md

@@ -1,16 +1,9 @@
 ---
 title: Add or remove pinned apps on the Start menu in Windows 11
 description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
-manager: aaroncz
 author: lizgt2000
 ms.author: lizlong
 ms.reviewer: ericpapa
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier1
-ms.technology: itpro-configure
 ms.date: 01/10/2023
 ms.topic: article
 ---

windows/configuration/customize-taskbar-windows-11.md

@@ -8,7 +8,6 @@ ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.collection:
- - highpri
  - tier1
 ms.technology: itpro-configure
 ms.date: 08/17/2023

windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md

@@ -3,15 +3,8 @@ title: Customize Windows 10 Start and taskbar with group policy
 description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: windows-client
 author: lizgt2000
-ms.localizationpriority: medium
 ms.author: lizlong
-ms.topic: article
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
 

windows/configuration/find-the-application-user-model-id-of-an-installed-app.md

@@ -1,17 +1,10 @@
 ---
 title: Find the Application User Model ID of an installed app
 ms.reviewer: sybruckm
-manager: aaroncz
 description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
 # Find the Application User Model ID of an installed app

windows/configuration/guidelines-for-assigned-access-app.md

@@ -1,16 +1,10 @@
 ---
 title: Guidelines for choosing an app for assigned access
 description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
-ms.prod: windows-client
 author: lizgt2000
-ms.localizationpriority: medium
 ms.author: lizlong
 ms.topic: article
 ms.reviewer: sybruckm
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---

windows/configuration/index.yml

@@ -9,7 +9,6 @@ metadata:
   ms.topic: landing-page # Required
   ms.prod: windows-client
   ms.collection:
-    - highpri
     - tier1
   author: aczechowski
   ms.author: aaroncz

windows/configuration/kiosk-single-app.md

@@ -2,16 +2,11 @@
 title: Set up a single-app kiosk on Windows
 description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions.
 ms.reviewer: sybruckm
-manager: aaroncz
 ms.author: lizlong
-ms.prod: windows-client
 author: lizgt2000
-ms.localizationpriority: medium
 ms.topic: article
 ms.collection:
- - highpri
  - tier1
-ms.technology: itpro-configure
 ms.date: 07/12/2023
 ---
 <!--8107263-->

windows/configuration/lock-down-windows-10-to-specific-apps.md

@@ -1,17 +1,10 @@
 ---
 title: Set up a multi-app kiosk on Windows 10
 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
-ms.prod: windows-client
-ms.technology: itpro-configure
 author: lizgt2000
 ms.author: lizlong
-manager: aaroncz
 ms.reviewer: sybruckm
-ms.localizationpriority: medium
 ms.topic: how-to
-ms.collection:
- - highpri
- - tier2
 ms.date: 11/08/2023
 appliesto: 
   - ✅ <b>Windows 10 Pro</b>

windows/configuration/provisioning-packages/diagnose-provisioning-packages.md

@@ -1,7 +1,6 @@
 ---
 title: Diagnose Provisioning Packages
 description: Diagnose general failures in provisioning.
-ms.reviewer: 
 manager: aaroncz
 ms.author: lizlong 
 ms.topic: article
@@ -9,7 +8,6 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: lizgt2000
 ms.date: 01/18/2023
-ms.collection: highpri
 ---
 
 # Diagnose Provisioning Packages
@@ -26,16 +24,16 @@ To apply the power settings successfully with the [correct security context](/wi
 
 ## Unable to perform bulk enrollment in Microsoft Entra ID
 
-When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
 
 > [!NOTE]
-> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.
+> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected.
 
 ## Unable to apply a multivariant provisioning package
 
-When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected.
+When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected.
 
-Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package was not applied.
+Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied.
 
 You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report:
 

windows/configuration/provisioning-packages/provisioning-install-icd.md

@@ -1,17 +1,10 @@
 ---
 title: Install Windows Configuration Designer
 description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
-ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
-ms.localizationpriority: medium
 ms.reviewer: kevinsheehan
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
 

windows/configuration/provisioning-packages/provisioning-packages.md

@@ -2,16 +2,9 @@
 title: Provisioning packages overview
 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
 ms.reviewer: kevinsheehan
-manager: aaroncz
-ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
 

windows/configuration/stop-employees-from-using-microsoft-store.md

@@ -1,18 +1,10 @@
 ---
 title: Configure access to Microsoft Store
 description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
-ms.reviewer: 
-manager: aaroncz
-ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: conceptual
-ms.localizationpriority: medium
 ms.date: 11/29/2022
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ---
 
 # Configure access to Microsoft Store

windows/configuration/windows-10-start-layout-options-and-policies.md

@@ -1,18 +1,10 @@
 ---
 title: Customize and manage the Windows 10 Start and taskbar layout
 description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
-ms.reviewer: 
-manager: aaroncz
-ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
-ms.localizationpriority: medium
 ms.date: 08/05/2021
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
 ---
 
 # Customize the Start menu and taskbar layout on Windows 10 and later devices

windows/configuration/windows-spotlight.md

@@ -1,17 +1,10 @@
 ---
 title: Configure Windows Spotlight on the lock screen
 description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
-ms.reviewer: 
-manager: aaroncz
-ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
-ms.localizationpriority: medium
 ms.date: 04/30/2018
-ms.collection:
- - highpri
- - tier2
 ms.technology: itpro-configure
 ---
 

windows/deployment/deploy-enterprise-licenses.md

@@ -14,7 +14,7 @@ ms.collection:
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
-ms.date: 11/23/2022
+ms.date: 11/14/2023
 ---
 
 # Deploy Windows Enterprise licenses
@@ -306,6 +306,6 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
 
 ## Virtual Desktop Access (VDA)
 
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster.
 
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).

windows/deployment/mbr-to-gpt.md

@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
 ms.prod: windows-client
 author: frankroj
 ms.author: frankroj
-ms.date: 11/23/2022
+ms.date: 11/16/2023
 manager: aaroncz
 ms.localizationpriority: high
 ms.topic: how-to
@@ -12,19 +12,18 @@ ms.collection:
   - highpri
   - tier2
 ms.technology: itpro-deploy
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # MBR2GPT.EXE
 
-*Applies to:*
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
 
-- Windows 10
+**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows.
 
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
-
-MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
-
-The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+The tool is available in both the full OS environment and Windows PE.
 
 See the following video for a detailed description and demonstration of MBR2GPT.
 
@@ -33,13 +32,13 @@ See the following video for a detailed description and demonstration of MBR2GPT.
 You can use MBR2GPT to:
 
 - Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
+- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
 
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
 
 > [!IMPORTANT]
+>
 > After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
 >
 > Make sure that your device supports UEFI before attempting to convert the disk.
@@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
 - The disk doesn't have any extended/logical partition
 - The BCD store on the system partition contains a default OS entry pointing to an OS partition
 - The volume IDs can be retrieved for each volume that has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option
 
-If any of these checks fails, the conversion won't proceed, and an error will be returned.
+If any of these checks fails, the conversion doesn't proceed, and an error is returned.
 
 ## Syntax
 
@@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be
 |**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
 |**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
 |**/disk:*\<diskNumber\>***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
-|**/logs:*\<logDirectory\>***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
+|**/logs:*\<logDirectory\>***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it isn't automatically created or overwritten.|
 |**/map:*\<source\>*=*\<destination\>***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
 
 ## Examples
 
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
 In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
 
 ```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
 MBR2GPT: Attempting to validate disk 0
 MBR2GPT: Retrieving layout of disk
 MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
 
 In the following example:
 
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
 
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+    - A system reserved partition.
+    - A Windows partition.
+    - A recovery partition.
+    - A DVD-ROM is also present as volume 0.
 
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
 
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
 
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
 
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
 
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
 
 <br>
 <details>
@@ -240,42 +244,44 @@ Offset in Bytes: 524288000
 The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
 
 1. Disk validation is performed.
-2. The disk is repartitioned to create an EFI system partition (ESP) if one doesn't already exist.
-3. UEFI boot files are installed to the ESP.
+2. The disk is repartitioned to create an EFI system partition if one doesn't already exist.
+3. UEFI boot files are installed to the EFI system partition.
 4. GPT metadata and layout information are applied.
 5. The boot configuration data (BCD) store is updated.
 6. Drive letter assignments are restored.
 
 ### Creating an EFI system partition
 
-For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
+For Windows to remain bootable after the conversion, an EFI system partition must be in place. MBR2GPT creates the EFI system partition using the following rules:
 
 1. The existing MBR system partition is reused if it meets these requirements:
-   1. It isn't also the OS or Windows Recovery Environment partition.
-   1. It is at least 100 MB (or 260 MB for 4K sector size disks) in size.
-   1. It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition.
-   1. The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed.
 
-2. If the existing MBR system partition can't be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32.
+   - It isn't also the OS or Windows Recovery Environment partition.
+   - It is at least 100 MB (or 260 MB for 4K sector size disks) in size.
+   - It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition.
+   - The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed.
 
-If the existing MBR system partition isn't reused for the ESP, it's no longer used by the boot process after the conversion. Other partitions aren't modified.
+2. If the existing MBR system partition can't be reused, a new EFI system partition is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32.
 
->[!IMPORTANT]
->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+If the existing MBR system partition isn't reused for the EFI system partition, it's no longer used by the boot process after the conversion. Other partitions aren't modified.
+
+> [!IMPORTANT]
+>
+> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
 
 ### Partition type mapping and partition attributes
 
 Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
 
-1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
-2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
-3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
-4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
+1. The EFI system partition is always set to partition type **PARTITION_SYSTEM_GUID** (**c12a7328-f81f-11d2-ba4b-00a0c93ec93b**).
+2. If an MBR partition is of a type that matches one of the entries specified in the `/map` switch, the specified GPT partition type ID is used.
+3. If the MBR partition is of type **0x27**, the partition is converted to a GPT partition of type **PARTITION_MSFT_RECOVERY_GUID** (**de94bba4-06d1-4d40-a16a-bfd50179d6ac**).
+4. All other MBR partitions recognized by Windows are converted to GPT partitions of type **PARTITION_BASIC_DATA_GUID** (**ebd0a0a2-b9e5-4433-87c0-68b6b72699c7**).
 
 In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
 
-- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
-- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
+- **GPT_ATTRIBUTE_PLATFORM_REQUIRED** (**0x0000000000000001**)
+- **GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER** (**0x8000000000000000**)
 
 For more information about partition types, see:
 
@@ -284,20 +290,21 @@ For more information about partition types, see:
 
 ### Persisting drive letter assignments
 
-The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
+The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
 
 > [!IMPORTANT]
+>
 > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
 
-The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
+The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following:
 
-1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
+1. Checks if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
 2. If found, set the value to be the new unique ID, obtained after the layout conversion.
-3. If the new unique ID can't be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
+3. If the new unique ID can't be set and the value name starts with **\DosDevices**, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
 
 ## Troubleshooting
 
-The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
+The tool displays status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this information is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
 
 ### Logs
 
@@ -308,16 +315,21 @@ Four log files are created by the MBR2GPT tool:
 - setupact.log
 - setuperr.log
 
-These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
+These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The `setupact.log` and `setuperr.log` files have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
 
 > [!NOTE]
-> The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
+>
+> The **setupact*.log** files are different than the Windows Setup files that are found in the `%Windir%\Panther` directory.
 
 The default location for all these log files in Windows PE is **%windir%**.
 
 ### Interactive help
 
-To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`**
+To view a list of options available when using the tool, enter the following command in an elevated command prompt:
+
+```cmd
+mbr2gpt.exe /?
+```
 
 The following text is displayed:
 
@@ -378,7 +390,21 @@ MBR2GPT has the following associated return codes:
 
 ### Determining the partition type
 
-You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
+The partition type can be determined in one of three ways:
+
+- Using Windows PowerShell
+- Using the Disk Management tool
+- Using the DiskPart tool
+
+#### Windows PowerShell
+
+You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type:
+
+```powershell
+Get-Disk | ft -Auto
+``````
+
+Example output:
 
 ```powershell
 PS C:\> Get-Disk | ft -Auto
@@ -389,11 +415,43 @@ Number Friendly Name      Serial Number        HealthStatus OperationalStatus To
 1      ST1000DM003-1ER162 Z4Y3GD8F             Healthy      Online             931.51 GB GPT
 ```
 
-You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
+#### Disk Management tool
 
-:::image type="content" alt-text="Volumes." source="images/mbr2gpt-volume.png":::
+You can view the partition type of a disk by using the Disk Management tool:
 
-If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
+1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**.
+
+1. In the **Disk Management** window that appears:
+
+    1. On the bottom pane, select the disk number of interest.
+
+    1. Select the **Action** menu and then select **All Tasks > Properties**. Alternatively, right-click on the disk number of interest and select **Properties**.
+
+    1. In the **Properties** dialog box that appears for the disk, select the **Volumes** tab.
+
+    1. Under the **Volumes** tab, the partition type is displayed next to **Partition style:**.
+
+#### DiskPart tool
+
+The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE. PowerShell isn't available in WinPE when the PowerShell optional component isn't loaded. To use the DiskPart tool to determine the partition type:
+
+1. Open an elevated command prompt.
+
+1. In the elevated command prompt that opens enter the following command:
+
+   ```cmd
+   DiskPart.exe
+   ```
+
+1. The **DISKPART>** prompt is displayed in the command prompt windows. At the **DISKPART>** prompt, enter the following command:
+
+   ```cmd
+   list disk
+   ```
+
+1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank.
+
+The following shows an example output of the DiskPart tool showing the partition type for two disks:
 
 ```cmd
 X:\>DiskPart.exe
@@ -412,66 +470,3 @@ DISKPART> list disk
 ```
 
 In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
-
-## Known issue
-
-### MBR2GPT.exe can't run in Windows PE
-
-When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
-
-**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive.
-
-**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool.
-
-**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
-
-#### Cause
-
-This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
-
-#### Workaround
-
-To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. Use follow these steps:
-
-1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
-
-2. Copy the ReAgent files and the ReAgent localization files from the Windows 10, version 1903 ADK source folder to the mounted WIM.
-
-    For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
-
-    > [!NOTE]
-    > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit.
-
-    **Command 1:**
-  
-    ```cmd
-    copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
-    ```
-
-    This command copies three files:
-
-    - ReAgent.admx
-    - ReAgent.dll
-    - ReAgent.xml
-
-    **Command 2:**
-  
-    ```cmd
-    copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
-    ```
-
-    This command copies two files:
-
-    - ReAgent.adml
-    - ReAgent.dll.mui
-
-    > [!NOTE]
-    > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
-
-3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
-
-## Related articles
-
-[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-<BR>[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-<BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)

windows/deployment/update/waas-branchcache.md

@@ -9,9 +9,8 @@ ms.author: mstewart
 manager: aaroncz
 ms.localizationpriority: medium
 appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 12/31/2017
+ms.date: 11/16/2023
 ---
 
 # Configure BranchCache for Windows client updates
@@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
 
 Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
 
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+> [!Note] 
+> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11. <!--8530422-->
 
 ## Configure servers for BranchCache
 

windows/deployment/vda-subscription-activation.md

@@ -9,7 +9,7 @@ ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
 ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
 ---
 
 # Configure VDA for Windows subscription activation
@@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
 
 - VMs must be running a supported version of Windows Pro edition.
 - VMs must be joined to Active Directory or Microsoft Entra ID.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
 
 ## Activation
 

windows/deployment/windows-10-poc.md

@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 > [!IMPORTANT]
 > Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
 
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
-    > [!NOTE]
-    > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+<!-- removed steps to download VM from developer.microsoft.com/microsoft-edge as tool no longer exists -->
 
 If you have a PC available to convert to VM (computer 2):
 

windows/deployment/windows-10-subscription-activation.md

@@ -11,7 +11,7 @@ ms.collection:
   - highpri
   - tier2
 ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
@@ -39,7 +39,15 @@ This article covers the following information:
 For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
 
 > [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
 
 ## Subscription activation for Enterprise
 
@@ -239,7 +247,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
 
 ## Virtual Desktop Access (VDA)
 
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
 
 Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 

windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md

@@ -1,7 +1,7 @@
 ---
 title: Post-device registration readiness checks
 description: This article details how post-device registration readiness checks are performed in Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 09/16/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md

@@ -1,7 +1,7 @@
 ---
 title: Quality update trending report
 description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 09/01/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to

windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md

@@ -1,7 +1,7 @@
 ---
 title: Maintain the Windows Autopatch environment
 description: This article details how to maintain the Windows Autopatch environment
-ms.date: 05/15/2023
+ms.date: 09/15/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to

windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md

@@ -1,7 +1,7 @@
 ---
 title: Submit a support request
 description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
-ms.date: 01/06/2023
+ms.date: 09/06/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to

windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md

@@ -1,7 +1,7 @@
 ---
 title: Privacy
 description: This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 03/13/2023
+ms.date: 09/13/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: reference

windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md

@@ -1,7 +1,7 @@
 ---
 title: Submit a tenant enrollment support request
 description: This article details how to submit a tenant enrollment support request
-ms.date: 01/13/2023
+ms.date: 09/13/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to

windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md

@@ -1,7 +1,7 @@
 ---
 title: Fix issues found by the Readiness assessment tool
 description: This article details how to fix issues found by the Readiness assessment tool.
-ms.date: 01/12/2023
+ms.date: 09/12/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to

windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md

@@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 04/24/2023
+ms.date: 09/24/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual

windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md

@@ -1,7 +1,7 @@
 ---
 title: Windows update policies
 description: This article explains Windows update policies in Windows Autopatch
-ms.date: 12/02/2022
+ms.date: 09/02/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md

@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 10/27/2023 
+ms.date: 11/16/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
 
 Minor corrections such as typos, style, or formatting issues aren't listed.
 
+## November 2023
+
+## November service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance |
+
 ## October 2023
 
 ### October feature releases or updates

windows/hub/index.yml

@@ -10,7 +10,6 @@ metadata:
   ms.topic: hub-page
   ms.prod: windows-client
   ms.collection:
-    - highpri
     - tier1
   author: paolomatarazzo
   ms.author: paoloma

windows/security/application-security/application-control/user-account-control/how-it-works.md

@@ -1,9 +1,6 @@
 ---
 title: How User Account Control works 
 description: Learn about User Account Control (UAC) components and how it interacts with the end users.
-ms.collection: 
-  - highpri
-  - tier2
 ms.topic: concept-article
 ms.date: 05/24/2023
 ---

windows/security/application-security/application-control/user-account-control/index.md

@@ -1,9 +1,6 @@
 ---
 title: User Account Control
 description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
-ms.collection: 
-  - highpri
-  - tier2
 ms.topic: overview
 ms.date: 05/24/2023
 ---

windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md

@@ -2,7 +2,6 @@
 title: AppLocker
 description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
 ms.collection:
-- highpri
 - tier3
 - must-keep
 ms.topic: conceptual

windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md

@@ -3,7 +3,6 @@ title: Microsoft recommended driver block rules
 description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
 ms.localizationpriority: medium
 ms.collection:
-- highpri
 - tier3
 - must-keep
 ms.date: 06/06/2023

windows/security/application-security/application-control/windows-defender-application-control/wdac.md

@@ -3,7 +3,6 @@ title: Application Control for Windows
 description: Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 ms.localizationpriority: medium
 ms.collection:
-- highpri
 - tier3
 - must-keep
 ms.date: 08/30/2023

windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md

@@ -3,9 +3,6 @@ title: Enable hardware-based isolation for Microsoft Edge
 description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
 ms.date: 07/11/2023
 ms.topic: how-to
-ms.collection:
-  - highpri
-  - tier2
 ---
 
 # Prepare to install Microsoft Defender Application Guard

windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md

@@ -1,11 +1,7 @@
 ---
 title: Microsoft Defender Application Guard
 description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.localizationpriority: medium
 ms.date: 07/11/2023
-ms.collection:
-  - highpri
-  - tier2
 ms.topic: conceptual
 ---
 

windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md

@@ -1,9 +1,6 @@
 ---
 title: Windows Sandbox configuration
 description: Windows Sandbox configuration
-ms.collection:
-  - highpri
-  - tier2
 ms.topic: article
 ms.date: 05/25/2023
 ---

windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md

@@ -1,9 +1,6 @@
 ---
 title: Windows Sandbox
 description: Windows Sandbox overview
-ms.collection:
-  - highpri
-  - tier2
 ms.topic: article
 ms.date: 05/25/2023
 ---

windows/security/docfx.json

@@ -222,14 +222,12 @@
         "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
       },
       "ms.collection": {
-        "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
         "identity-protection/hello-for-business/*.md": "tier1",
         "information-protection/pluton/*.md": "tier1",
         "information-protection/tpm/*.md": "tier1",
         "threat-protection/auditing/*.md": "tier3",
         "operating-system-security/data-protection/bitlocker/*.md": "tier1",
-        "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
-        "operating-system-security/network-security/windows-firewall/*.md": [ "tier2", "must-keep" ]
+        "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1"
       }
     },
     "template": [],

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -1,10 +1,6 @@
 ---
 title: Enable memory integrity
 description: This article explains the steps to opt in to using memory integrity on Windows devices.
-ms.localizationpriority: medium
-ms.collection:
-  - highpri
-  - tier2
 ms.topic: conceptual
 ms.date: 03/16/2023
 appliesto:

windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md

@@ -2,7 +2,6 @@
 title: Kernel DMA Protection
 description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
 ms.collection:
-  - highpri
   - tier1
 ms.topic: conceptual
 ms.date: 07/31/2023

windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md

@@ -4,7 +4,6 @@ description: Learn how to view and troubleshoot the Trusted Platform Module (TPM
 ms.topic: conceptual
 ms.date: 11/17/2023
 ms.collection:
-- highpri
 - tier1
 ---
 

windows/security/hardware-security/tpm/tpm-recommendations.md

@@ -4,7 +4,6 @@ description: This topic provides recommendations for Trusted Platform Module (TP
 ms.topic: conceptual
 ms.date: 11/17/2023
 ms.collection:
-- highpri
 - tier1
 ---
 

windows/security/hardware-security/tpm/trusted-platform-module-overview.md

@@ -4,7 +4,6 @@ description: Learn about the Trusted Platform Module (TPM) and how Windows uses
 ms.topic: conceptual
 ms.date: 11/17/2023
 ms.collection:
-- highpri
 - tier1
 ---
 

windows/security/identity-protection/credential-guard/configure.md

@@ -2,9 +2,6 @@
 title: Configure Credential Guard 
 description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
 ms.date: 08/31/2023
-ms.collection:
-  - highpri
-  - tier2
 ms.topic: how-to
 ---
 

windows/security/identity-protection/credential-guard/index.md

@@ -3,9 +3,6 @@ title: Credential Guard overview
 description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
 ms.date: 08/31/2023
 ms.topic: overview
-ms.collection: 
-  - highpri
-  - tier1
 ---
 
 # Credential Guard overview

windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md

@@ -1,9 +1,6 @@
 ---
 title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
-ms.collection: 
-- highpri
-- tier1
 ms.date: 09/07/2023
 ms.topic: tutorial
 ---

windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md

@@ -1,8 +1,6 @@
 ---
 title: Deploy certificates for remote desktop sign-in
 description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
-ms.collection: 
-  - tier1
 ms.topic: how-to
 ms.date: 07/25/2023
 ---

windows/security/identity-protection/hello-for-business/hello-faq.yml

@@ -4,9 +4,6 @@ metadata:
   description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
   author: paolomatarazzo
   ms.author: paoloma
-  ms.collection:
-    - highpri
-    - tier1
   ms.topic: faq
   ms.date: 08/03/2023
 

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -1,9 +1,6 @@
 ---
 title: PIN reset
 description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN.
-ms.collection: 
-  - highpri
-  - tier1
 ms.date: 08/15/2023
 ms.topic: how-to
 ---

windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md

@@ -3,8 +3,6 @@ title: Remote Desktop
 description: Learn how Windows Hello for Business supports using biometrics with remote desktop
 ms.date: 09/01/2023
 ms.topic: conceptual
-ms.collection:
-- tier1
 ---
 
 # Remote Desktop

windows/security/identity-protection/hello-for-business/hello-identity-verification.md

@@ -3,8 +3,6 @@ ms.date: 10/09/2023
 title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.topic: overview
-ms.collection:
-- tier1
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md

@@ -1,9 +1,6 @@
 ---
 title: Manage Windows Hello in your organization 
 description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
-ms.collection: 
-  - highpri
-  - tier1
 ms.date: 9/25/2023
 ms.topic: reference
 ---

windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -1,9 +1,6 @@
 ---
 title: Why a PIN is better than an online password
 description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
-ms.collection: 
-  - highpri
-  - tier1
 ms.date: 03/15/2023
 ms.topic: conceptual
 ---

windows/security/identity-protection/hello-for-business/index.md

@@ -1,9 +1,6 @@
 ---
 title: Windows Hello for Business Overview
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
-ms.collection: 
-  - highpri
-  - tier1
 ms.topic: overview
 ms.date: 04/24/2023
 ---

windows/security/identity-protection/passkeys/index.md

@@ -2,7 +2,6 @@
 title: Support for passkeys in Windows
 description: Learn about passkeys and how to use them on Windows devices.
 ms.collection: 
-- highpri
 - tier1
 ms.topic: overview
 ms.date: 11/07/2023

windows/security/identity-protection/passwordless-experience/index.md

@@ -2,7 +2,6 @@
 title: Windows passwordless experience
 description: Learn how Windows passwordless experience enables your organization to move away from passwords.
 ms.collection: 
-  - highpri
   - tier1
 ms.date: 09/27/2023
 ms.topic: how-to

windows/security/identity-protection/remote-credential-guard.md

@@ -1,11 +1,8 @@
 ---
 title: Remote Credential Guard 
 description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
-ms.collection: 
-- highpri
-- tier1
 ms.topic: how-to
-ms.date: 09/06/2023
+ms.date: 11/17/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -133,7 +130,7 @@ reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin
 To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts.
 
 > [!TIP]
-> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+> If you don't want to configure your clients to enforce Remote Credential Guard, and if you are an administrator of the remote host, you can use the following command to use Remote Credential Guard for a specific RDP session:
 > ```cmd
 > mstsc.exe /remoteGuard
 > ```

windows/security/identity-protection/web-sign-in/index.md

@@ -6,7 +6,6 @@ ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ms.collection:
-  - highpri
   - tier1
 ---
 

windows/security/index.yml

@@ -9,7 +9,6 @@ metadata:
   ms.prod: windows-client
   ms.technology: itpro-security
   ms.collection:
-    - highpri
     - tier1
   author: paolomatarazzo
   ms.author: paoloma

windows/security/licensing-and-edition-requirements.md

@@ -1,8 +1,6 @@
 ---
 title: Windows security features licensing and edition requirements
 description: Learn about Windows licensing and edition requirements for the features included in Windows.
-ms.collection:
-- tier2
 ms.topic: conceptual
 ms.date: 06/15/2023
 appliesto:

windows/security/operating-system-security/data-protection/bitlocker/faq.yml

@@ -1,9 +1,7 @@
 ### YamlMime:FAQ
 metadata:
   title: BitLocker FAQ
-  description: Learn more about BitLocker by reviewing the frequently asked questions. 
-  ms.collection:
-    - tier1
+  description: Learn more about BitLocker by reviewing the frequently asked questions.
   ms.topic: faq
   ms.date: 10/30/2023
 title: BitLocker FAQ

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -1,9 +1,6 @@
 ---
 title: BitLocker overview
 description: Learn about BitLocker practical applications and requirements.
-ms.collection:
-  - highpri
-  - tier1
 ms.topic: overview
 ms.date: 10/30/2023
 ---

windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md

@@ -1,8 +1,6 @@
 ---
 title: BitLocker operations guide
 description: Learn how to use different tools to manage and operate BitLocker.
-ms.collection: 
-  - tier1
 ms.topic: how-to
 ms.date: 10/30/2023
 ---

windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md

@@ -1,9 +1,6 @@
 ---
 title: BitLocker preboot recovery screen
 description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
-ms.collection: 
-  - highpri
-  - tier1
 ms.topic: concept-article
 ms.date: 10/30/2023
 ---

windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md

@@ -1,9 +1,6 @@
 ---
 title: BitLocker recovery overview
 description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
-ms.collection: 
-  - highpri
-  - tier1
 ms.topic: how-to
 ms.date: 10/30/2023
 ---

windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md

@@ -1,9 +1,6 @@
 ---
 title: BitLocker recovery process
 description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
-ms.collection: 
-  - highpri
-  - tier1
 ms.topic: how-to
 ms.date: 10/30/2023
 ---

windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md

@@ -1,10 +1,6 @@
 ---
 title: Microsoft Security Compliance Toolkit Guide
 description: This article describes how to use Security Compliance Toolkit in your organization.
-ms.localizationpriority: medium
-ms.collection:
-  - highpri
-  - tier3
 ms.topic: conceptual
 ms.date: 10/31/2023
 ---

windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md

@@ -1,10 +1,6 @@
 ---
 title: Security baselines guide
 description: Learn how to use security baselines in your organization.
-ms.localizationpriority: medium
-ms.collection:
-  - highpri
-  - tier3
 ms.topic: conceptual
 ms.date: 07/11/2023
 ---

windows/security/operating-system-security/network-security/toc.yml

@@ -7,8 +7,8 @@ items:
     href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
   - name: Extensible Authentication Protocol (EAP) for network access
     href: /windows-server/networking/technologies/extensible-authentication-protocol/network-access
-  - name: Windows Firewall 🔗
-    href: windows-firewall/windows-firewall-with-advanced-security.md
+  - name: Windows Firewall
+    href: windows-firewall/toc.yml
   - name: Virtual Private Network (VPN)
     href: vpn/toc.yml
   - name: Always On VPN 🔗

windows/security/operating-system-security/network-security/windows-firewall/TOC.yml

@@ -1,254 +0,0 @@
-items:
-  - name: Overview
-    href: windows-firewall-with-advanced-security.md
-  - name: Plan deployment
-    items: 
-      - name: Design guide
-        href: windows-firewall-with-advanced-security-design-guide.md
-      - name: Design process
-        href: understanding-the-windows-firewall-with-advanced-security-design-process.md
-      - name: Implementation goals
-        items: 
-          - name: Identify implementation goals
-            href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
-          - name: Protect devices from unwanted network traffic
-            href: protect-devices-from-unwanted-network-traffic.md
-          - name: Restrict access to only trusted devices
-            href: restrict-access-to-only-trusted-devices.md
-          - name: Require encryption
-            href: require-encryption-when-accessing-sensitive-network-resources.md
-          - name: Restrict access
-            href: restrict-access-to-only-specified-users-or-devices.md
-      - name: Implementation designs
-        items: 
-          - name: Map goals to a design
-            href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
-          - name: Basic firewall design
-            href: basic-firewall-policy-design.md
-            items: 
-              - name: Basic firewall design example
-                href: firewall-policy-design-example.md
-          - name: Domain isolation design
-            href: domain-isolation-policy-design.md
-            items: 
-              - name: Domain isolation design example
-                href: domain-isolation-policy-design-example.md
-          - name: Server isolation design
-            href: server-isolation-policy-design.md
-            items: 
-              - name: Server Isolation design example
-                href: server-isolation-policy-design-example.md
-          - name: Certificate-based isolation design
-            href: certificate-based-isolation-policy-design.md
-            items: 
-              - name: Certificate-based Isolation design example
-                href: certificate-based-isolation-policy-design-example.md
-      - name: Design planning
-        items: 
-          - name: Plan your design
-            href: planning-your-windows-firewall-with-advanced-security-design.md
-          - name: Plan settings for a basic firewall policy
-            href: planning-settings-for-a-basic-firewall-policy.md
-          - name: Plan domain isolation zones
-            items: 
-              - name: Domain isolation zones
-                href: planning-domain-isolation-zones.md
-              - name: Exemption list
-                href: exemption-list.md
-              - name: Isolated domain
-                href: isolated-domain.md
-              - name: Boundary zone
-                href: boundary-zone.md
-              - name: Encryption zone
-                href: encryption-zone.md
-          - name: Plan server isolation zones
-            href: planning-server-isolation-zones.md
-          - name: Plan certificate-based authentication
-            href: planning-certificate-based-authentication.md
-            items: 
-              - name: Document the Zones
-                href: documenting-the-zones.md
-              - name: Plan group policy deployment for your isolation zones
-                href: planning-group-policy-deployment-for-your-isolation-zones.md
-                items: 
-                  - name: Plan isolation groups for the zones
-                    href: planning-isolation-groups-for-the-zones.md
-                  - name: Plan network access groups
-                    href: planning-network-access-groups.md
-                  - name: Plan the GPOs
-                    href: planning-the-gpos.md
-                    items: 
-                      - name: Firewall GPOs
-                        href: firewall-gpos.md
-                        items: 
-                          - name: GPO_DOMISO_Firewall
-                            href: gpo-domiso-firewall.md
-                      - name: Isolated domain GPOs
-                        href: isolated-domain-gpos.md
-                        items: 
-                          - name: GPO_DOMISO_IsolatedDomain_Clients
-                            href: gpo-domiso-isolateddomain-clients.md
-                          - name: GPO_DOMISO_IsolatedDomain_Servers
-                            href: gpo-domiso-isolateddomain-servers.md
-                      - name: Boundary zone GPOs
-                        href: boundary-zone-gpos.md
-                        items: 
-                          - name: GPO_DOMISO_Boundary
-                            href: gpo-domiso-boundary.md
-                      - name: Encryption zone GPOs
-                        href: encryption-zone-gpos.md
-                        items: 
-                          - name: GPO_DOMISO_Encryption
-                            href: gpo-domiso-encryption.md
-                      - name: Server isolation GPOs
-                        href: server-isolation-gpos.md
-                  - name: Plan GPO deployment
-                    href: planning-gpo-deployment.md
-      - name: Plan to deploy
-        href: planning-to-deploy-windows-firewall-with-advanced-security.md
-  - name: Deployment guide
-    items: 
-      - name: Deployment overview
-        href: windows-firewall-with-advanced-security-deployment-guide.md
-      - name: Implement your plan
-        href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
-      - name: Basic firewall deployment
-        items: 
-          - name: "Checklist: Implement a basic firewall policy design"
-            href: checklist-implementing-a-basic-firewall-policy-design.md
-      - name: Domain isolation deployment
-        items: 
-          - name: "Checklist: Implement a Domain Isolation Policy Design"
-            href: checklist-implementing-a-domain-isolation-policy-design.md
-      - name: Server isolation deployment
-        items: 
-          - name: "Checklist: Implement a Standalone Server Isolation Policy Design"
-            href: checklist-implementing-a-standalone-server-isolation-policy-design.md
-      - name: Certificate-based authentication
-        items: 
-          - name: "Checklist: Implement a Certificate-based Isolation Policy Design"
-            href: checklist-implementing-a-certificate-based-isolation-policy-design.md
-  - name: Best practices
-    items: 
-      - name: Configure the firewall
-        href: best-practices-configuring.md
-      - name: Secure IPsec
-        href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
-      - name: PowerShell
-        href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
-      - name: Isolate Microsoft Store Apps on Your Network
-        href: isolating-apps-on-your-network.md
-  - name: How-to
-    items: 
-      - name: Add Production devices to the membership group for a zone
-        href: add-production-devices-to-the-membership-group-for-a-zone.md
-      - name: Add test devices to the membership group for a zone
-        href: add-test-devices-to-the-membership-group-for-a-zone.md
-      - name: Assign security group filters to the GPO
-        href: assign-security-group-filters-to-the-gpo.md
-      - name: Change rules from request to require mode
-        href: Change-Rules-From-Request-To-Require-Mode.Md
-      - name: Configure authentication methods
-        href: Configure-authentication-methods.md
-      - name: Configure data protection (Quick Mode) settings
-        href: configure-data-protection-quick-mode-settings.md
-      - name: Configure Group Policy to autoenroll and deploy certificates
-        href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
-      - name: Configure Hyper-V firewall
-        href: hyper-v-firewall.md
-      - name: Configure key exchange (main mode) settings
-        href: configure-key-exchange-main-mode-settings.md
-      - name: Configure the rules to require encryption
-        href: configure-the-rules-to-require-encryption.md
-      - name: Configure the Windows Firewall log
-        href: configure-the-windows-firewall-log.md
-      - name: Configure the workstation authentication certificate template
-        href: configure-the-workstation-authentication-certificate-template.md
-      - name: Configure Windows Firewall to suppress notifications when a program is blocked
-        href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
-      - name: Confirm that certificates are deployed correctly
-        href: confirm-that-certificates-are-deployed-correctly.md
-      - name: Copy a GPO to create a new GPO
-        href: copy-a-gpo-to-create-a-new-gpo.md
-      - name: Create a Group Account in Active Directory
-        href: create-a-group-account-in-active-directory.md
-      - name: Create a Group Policy Object
-        href: create-a-group-policy-object.md
-      - name: Create an authentication exemption list rule
-        href: create-an-authentication-exemption-list-rule.md
-      - name: Create an authentication request rule
-        href: create-an-authentication-request-rule.md
-      - name: Create an inbound ICMP rule
-        href: create-an-inbound-icmp-rule.md
-      - name: Create an inbound port rule
-        href: create-an-inbound-port-rule.md
-      - name: Create an inbound program or service rule
-        href: create-an-inbound-program-or-service-rule.md
-      - name: Create an outbound port rule
-        href: create-an-outbound-port-rule.md
-      - name: Create an outbound program or service rule
-        href: create-an-outbound-program-or-service-rule.md
-      - name: Create inbound rules to support RPC
-        href: create-inbound-rules-to-support-rpc.md
-      - name: Create WMI filters for the GPO
-        href: create-wmi-filters-for-the-gpo.md
-      - name: Create Windows Firewall rules in Intune
-        href: create-windows-firewall-rules-in-intune.md
-      - name: Enable predefined inbound rules
-        href: enable-predefined-inbound-rules.md
-      - name: Enable predefined outbound rules
-        href: enable-predefined-outbound-rules.md
-      - name: Exempt ICMP from authentication
-        href: exempt-icmp-from-authentication.md
-      - name: Link the GPO to the domain
-        href: link-the-gpo-to-the-domain.md
-      - name: Modify GPO filters
-        href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
-      - name: Open IP security policies
-        href: open-the-group-policy-management-console-to-ip-security-policies.md
-      - name: Open Group Policy
-        href: open-the-group-policy-management-console-to-windows-firewall.md
-      - name: Open Group Policy
-        href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
-      - name: Open Windows Firewall
-        href: open-windows-firewall-with-advanced-security.md
-      - name: Restrict server access
-        href: restrict-server-access-to-members-of-a-group-only.md
-      - name: Enable Windows Firewall
-        href: turn-on-windows-firewall-and-configure-default-behavior.md
-      - name: Verify Network Traffic
-        href: verify-that-network-traffic-is-authenticated.md
-  - name: References
-    items: 
-      - name: "Checklist: Create Group Policy objects"
-        href: checklist-creating-group-policy-objects.md
-      - name: "Checklist: Create inbound firewall rules"
-        href: checklist-creating-inbound-firewall-rules.md
-      - name: "Checklist: Create outbound firewall rules"
-        href: checklist-creating-outbound-firewall-rules.md
-      - name: "Checklist: Configure basic firewall settings"
-        href: checklist-configuring-basic-firewall-settings.md
-      - name: "Checklist: Configure rules for the isolated domain"
-        href: checklist-configuring-rules-for-the-isolated-domain.md
-      - name: "Checklist: Configure rules for the boundary zone"
-        href: checklist-configuring-rules-for-the-boundary-zone.md
-      - name: "Checklist: Configure rules for the encryption zone"
-        href: checklist-configuring-rules-for-the-encryption-zone.md
-      - name: "Checklist: Configure rules for an isolated server zone"
-        href: checklist-configuring-rules-for-an-isolated-server-zone.md
-      - name: "Checklist: Configure rules for servers in a standalone isolated server zone"
-        href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
-      - name: "Checklist: Create rules for clients of a standalone isolated server zone"
-        href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
-      - name: "Appendix A: Sample GPO template files for settings used in this guide"
-        href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
-  - name: Troubleshooting
-    items: 
-      - name: Troubleshoot UWP app connectivity issues in Windows Firewall
-        href: troubleshooting-uwp-firewall.md
-      - name: Filter origin audit log improvements
-        href: filter-origin-documentation.md
-      - name: Quarantine behavior
-        href: quarantine.md
-      - name: Firewall settings lost on upgrade
-        href: firewall-settings-lost-on-upgrade.md

windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md

@@ -1,55 +0,0 @@
----
-title: Add Production Devices to the Membership Group for a Zone 
-description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
-ms.prod: windows-client
-ms.topic: how-to
-ms.date: 11/10/2023
----
-
-# Add Production Devices to the Membership Group for a Zone
-
-After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
-
-> [!CAUTION]
-> For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode.
-
-The method discussed in this guide uses the *Domain Computers* built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the *CG_DOMISO_NOIPSEC* example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
-
-Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
-
-In this topic:
-
-- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
-- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
-
-## To add domain devices to the GPO membership group
-
-1. Open Active Directory Users and Computers
-1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group
-1. In the details pane, double-click the GPO membership group to which you want to add computers
-1. Select the **Members** tab, and then click **Add**
-1. Type **Domain Computers** in the text box, and then click **OK**
-1. Click **OK** to close the group properties dialog box
-
-After a computer is a member of the group, you can force a Group Policy refresh on the computer.
-
-## To refresh Group Policy on a device
-
-From an elevated command prompt, type the following command:
-
-``` cmd
-gpupdate.exe /target:computer /force
-```
-
-After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
-
-## To see which GPOs are applied to a device
-
-From an elevated command prompt, type the following command:
-
-``` cmd
-gpresult.exe /r /scope:computer
-```

windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md

@@ -1,51 +0,0 @@
----
-title: Add Test Devices to the Membership Group for a Zone 
-description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
-ms.prod: windows-client
-ms.topic: how-to
-ms.date: 11/10/2023
----
-
-# Add Test Devices to the Membership Group for a Zone
-
-Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.
-
-Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the `gpresult.exe` command to confirm that each device is receiving only the GPOs it's supposed to receive.
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
-
-In this topic:
-
-- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
-- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
-
-## To add test devices to the GPO membership groups
-
-1. Open Active Directory Users and Computers
-1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account
-1. In the details pane, double-click the GPO membership group to which you want to add devices
-1. Select the **Members** tab, and then click **Add**
-1. Type the name of the device in the text box, and then click **OK**
-1. Repeat steps 5 and 6 for each extra device account or group that you want to add
-1. Click **OK** to close the group properties dialog box
-
-After a device is a member of the group, you can force a Group Policy refresh on the device.
-
-## To refresh Group Policy on a device
-
-From an elevated command prompt, run the following command:
-
-``` cmd
-gpupdate /target:device /force
-```
-
-After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
-
-## To see which GPOs are applied to a device
-
-From an elevated command prompt, run the following command:
-
-``` cmd
-gpresult /r /scope:computer
-```

windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md

@@ -1,87 +0,0 @@
----
-title: Appendix A Sample GPO Template Files for Settings Used in this Guide 
-description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Appendix A: sample GPO template files for settings used in this guide
-
-You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
-
-To manually create the file, build the settings under **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**. After you create the settings, drag the container to the desktop. An .xml file is created there.
-
-To import an .xml file to GPMC, drag it and drop it on the **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry** node. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
-
-The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
-
-> [!NOTE]
-> The file shown here is for sample use only. It should be customized to meet the requirements of your organization's deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
-
-```xml
-<?xml version="1.0" encoding="utf-8"?>
-
-<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
-
-<Registry
-         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
-         name="Enable PMTU Discovery"
-         status="EnablePMTUDiscovery"
-         image="12"
-         changed="2008-05-30 20:37:37"
-         uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
-         desc="<b>Enable PMTU Discovery</b><p>
-            This setting configures whether computers can use PMTU
-            discovery on the network.<p>
-            <b>1</b> --  Enable<br>
-            <b>0</b> --  Disable"
-         bypassErrors="1">
-   <Properties
-         action="U"
-         displayDecimal="1"
-         default="0"
-         hive="HKEY_LOCAL_MACHINE"
-         key="System\CurrentControlSet\Services\TCPIP\Parameters"
-         name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
-</Registry>
-
-<Registry
-         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
-         name="IPsec Default Exemptions (Vista and W2K8)"
-         status="NoDefaultExempt"
-         image="12"
-         changed="2008-05-30 20:33:32"
-         uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
-         desc="<b>IPsec Default Exemptions for Windows Server 2008
-            and later</b><p>
-            This setting determines which network traffic type is exempt
-            from any IPsec authentication requirements.<p>
-            <b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
-            <b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
-            <b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
-            <b>3</b>: Exempts ISAKMP only"
-         bypassErrors="1">
-   <Properties
-         action="U"
-         displayDecimal="1"
-         default="0"
-         hive="HKEY_LOCAL_MACHINE"
-         key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
-         name="NoDefaultExempt"
-         type="REG_DWORD"
-         value="00000003"/>
-   <Filters>
-      <FilterOs
-         bool="AND" not="0"
-         class="NT" version="VISTA"
-         type="NE" edition="NE" sp="NE"/>
-      <FilterOs
-         bool="OR" not="0"
-         class="NT" version="2K8"
-         type="NE" edition="NE" sp="NE"/>
-   </Filters>
-</Registry>
-
-</Collection>
-```

windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md

@@ -1,49 +0,0 @@
----
-title: Assign Security Group Filters to the GPO 
-description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
-ms.prod: windows-client
-ms.topic: how-to
-ms.date: 11/10/2023
----
-
-# Assign Security Group Filters to the GPO
-
-To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
-
->[!IMPORTANT]
->This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
-
-In this topic:
-
-- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
-- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
-
-## To allow members of a group to apply a GPO
-
-Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
-
-1. Open the Group Policy Management console
-1. In the navigation pane, find and then select the GPO that you want to modify
-1. In the details pane, under **Security Filtering**, select **Authenticated Users**, and then select **Remove**
-
-    >[!NOTE]
-    >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
-
-1. Select **Add**
-1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain
-
-## To prevent members of a group from applying a GPO
-
-Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
-
-1. Open the Group Policy Management console
-1. In the navigation pane, find and then select the GPO that you want to modify
-1. In the details pane, select the **Delegation** tab
-1. Select **Advanced**
-1. Under the **Group or user names** list, select **Add**
-1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain
-1. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**
-1. Select **OK**, and then in the **Windows Security** dialog box, select **Yes**
-1. The group appears in the list with **Custom** permissions

windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md

@@ -1,51 +0,0 @@
----
-title: Basic Firewall Policy Design 
-description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
-ms.topic: conceptual
-ms.date: 11/07/2023
----
-
-# Basic Firewall Policy Design
-
-Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization.
-
-The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that doesn't match the rules is dropped.
-
-Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.
-
-Many network administrators don't want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs don't require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
-
-- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device
-- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. For example, when you install a server role, the appropriate firewall rules are created and enabled automatically
-- For other standard network behavior, the predefined rules that are built into Windows can be configured in a GPO and deployed to the devices in your organization. For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
-
-With a few exceptions, the firewall can be enabled on all configurations. Therefore, we recommend that you enable the firewall on every device in your organization. The term "device" includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
-
-> [!CAUTION]
-> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
-
-Windows Defender Firewall with Advanced Security is turned on by default.
-
-If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
-
-Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party firewalls that comply with this recommendation have the certified logo from Microsoft.
-
-An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
-
-After implementing this design, you'll have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
-
-> [!IMPORTANT]
-> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
-
-The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
-
-For more information about this design:
-
-- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
-- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md)
-- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
-- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
-
-> [!div class="nextstepaction"]
-> [Domain Isolation Policy Design](domain-isolation-policy-design.md)

windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md

@@ -1,22 +0,0 @@
----
-title: Boundary Zone GPOs 
-description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Boundary Zone GPOs
-
-
-All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
-
->**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
-
-This recommendation means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
-
-The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices aren't expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
-
-In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed.
-
--   [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md)

windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md

@@ -1,57 +0,0 @@
----
-title: Boundary Zone 
-description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Boundary Zone
- 
-
-In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
-
-Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
-
-The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it.
-
-These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the extra risk. The following illustration shows a sample process that can help make such a decision.
-
-![design flowchart.](images/wfas-designflowchart1.gif)
-
-The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk can't be mitigated, membership must be denied.
-
-You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
-
- [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group.
-
-## GPO settings for boundary zone servers running at least Windows Server 2008
-
-
-The boundary zone GPO for devices running at least Windows Server 2008 should include the following components:
-
--   IPsec default settings that specify the following options:
-
-    1.  Exempt all ICMP traffic from IPsec.
-
-    2.  Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
-
-    3.  Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
-
-        If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
-
-    4.  Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
-
--   The following connection security rules:
-
-    -   A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
-
-    -   A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication.
-
--   A registry policy that includes the following values:
-
-    -   Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
-
-    >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-
-**Next:**[Encryption Zone](encryption-zone.md)

windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md

@@ -1,47 +0,0 @@
----
-title: Certificate-based Isolation Policy Design Example 
-description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Certificate-based Isolation Policy Design Example
-
-This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
-
-One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it's considered unsolicited inbound traffic to the devices that receive this information.
-
-## Design requirements
-
-One possible solution to this design example is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it can't authenticate.
-
-A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it can't join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically protected documents, encrypted in such a way that their origin can be positively confirmed.
-
-In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server.
-
-The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate.
-
-The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design.
-
-The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates.
-
-### Other traffic notes
-
-- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device.
-
-## Design details
-
-Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
-
-The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory-supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules.
-
-When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
-
-With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG_COMPUTER_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
-
-Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG_COMPUTER_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
-
-> [!div class="nextstepaction"]
->
-> [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md

@@ -1,27 +0,0 @@
----
-title: Certificate-based Isolation Policy Design 
-description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Certificate-based isolation policy design
-
-In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
-
-Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices can't join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows can't join a domain for various reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
-
-To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that don't run Windows.
-
-The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain.
-
-For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but aren't part of the Active Directory domain. For other devices, you'll have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
-
-For more info about this design:
-
-- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
-- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
-- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
-- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
-- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).

windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md

@@ -1,42 +0,0 @@
----
-title: Change Rules from Request to Require Mode 
-description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
-ms.prod: windows-client
-ms.topic: how-to
-ms.date: 11/10/2023
----
-
-# Change Rules from Request to Require Mode
-
-After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain.
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-In this topic:
-
-- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
-- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
-
-## To convert a rule from request to require mode
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-1. In the right navigation pane, click **Connection Security Rules**
-1. In the details pane, double-click the connection security rule that you want to modify
-1. Click the **Authentication** tab
-1. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**
-
-## To apply the modified GPOs to the client devices
-
-1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
-
-    ``` cmd
-    gpupdate.exe /force
-    ```
-
-1. To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
-
-    ``` cmd
-    gpresult.exe /r /scope computer
-    ```
-
-1. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.

windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md

@@ -1,17 +0,0 @@
----
-title: Checklist Configuring Basic Firewall Settings 
-description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: configure basic firewall settings
-
-This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules:
-
-| Task | Reference |
-| - | - |
-| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
-| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
-| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)|