diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 2a10d4ad71..6921b57b15 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20730,6 +20730,11 @@
"redirect_url": "/windows/deployment/s-mode",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md",
+ "redirect_url": "https://aka.ms/AzureCodeSigning",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy",
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index e9d3004423..195a92eff6 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,21 @@
+## Week of March 20, 2023
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 3/21/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 3/22/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
+| 3/22/2023 | [Configure Take a Test in kiosk mode](/education/windows/edu-take-a-test-kiosk-mode) | modified |
+| 3/22/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
+| 3/22/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
+| 3/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 3/22/2023 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
+| 3/22/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
+
+
## Week of March 06, 2023
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index bd0cb591bf..ca7f319eb1 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -44,9 +44,9 @@ When you sign up for a Minecraft Education trial, or purchase a subscription, Mi
To purchase direct licenses:
-1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar
-1. Scroll down and select **Buy Now** under **Direct Purchase**
-1. In the *purchase* page, sign in with an account that has *Billing Admin* privileges in your organization
+1. Go to [https://education.minecraft.net/licensing](https://education.minecraft.net/licensing)
+1. Under **Direct Purchase**, select **Buy Now**
+1. Sign in to the Admin Center purchase page with an account that has *Billing Admin* privileges in your organization
1. If necessary, fill in any requested organization or payment information
1. Select the quantity of licenses you'd like to purchase and select **Place Order**
1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 5744997054..f9adaaae34 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -90,19 +90,20 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
-| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
-| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
+| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` |
+| `Class Policy` | 116.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
-| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
+| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` |
+| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
@@ -116,6 +117,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
+| `Keyman` | 16.0.138 | Win32 | `SIL International`
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
@@ -125,7 +127,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
-| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
+| `Netref Student` | 23.1.0 | Win32 | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
@@ -143,11 +145,11 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
-| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
+| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
-| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
+| `WordQ` | 5.4.23 | Win32 | `WordQ` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index 9c4f8440b5..f846a1bb50 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -112,7 +112,7 @@ Use this setting to tell the CSP to immediately generate and store a new passwor
-This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc
+This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
@@ -333,7 +333,7 @@ This setting is ignored if the password is currently being stored in Azure.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
-- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
+- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before being stored in Active Directory.
- If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
@@ -343,7 +343,7 @@ If not specified, this setting defaults to True.
> [!IMPORTANT]
-> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@@ -642,8 +642,8 @@ If not specified, this setting defaults to True.
| Value | Description |
|:--|:--|
-| false | Allow configured password expiriration timestamp to exceed maximum password age. |
-| true (Default) | Do not allow configured password expiriration timestamp to exceed maximum password age. |
+| false | Allow configured password expiration timestamp to exceed maximum password age. |
+| true (Default) | Do not allow configured password expiration timestamp to exceed maximum password age. |
@@ -746,7 +746,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Value | Description |
|:--|:--|
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
-| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
index 27fdebb0e8..962e5c380e 100644
--- a/windows/client-management/mdm/policy-csp-admx-icm.md
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -555,11 +555,11 @@ The Knowledge Base is an online source of technical support information and self
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
-- If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
+- If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
-- If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
+- If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
-- If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
+- If you do not configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured.
@@ -617,11 +617,11 @@ This policy setting specifies whether Windows can access the Internet to accompl
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
-- If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
+- If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
-- If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
+- If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
-- If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
+- If you do not configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured.
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 9cc16c1696..66b14b8c2f 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -601,11 +601,11 @@ This policy setting allows you to control whether elliptic curve cryptography (E
-This policy settings lets you configure if all your valid logon certificates are displayed.
+This policy setting lets you configure if all your valid logon certificates are displayed.
During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).
-If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown.
+If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown.
> [!NOTE]
> This setting will be applied after the following policy: "Allow time invalid certificates"
@@ -798,7 +798,7 @@ By default the user principal name (UPN) is displayed in addition to the common
If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
-If you disable , the subject name will be displayed as it appears in the certificate.
+If you disable, the subject name will be displayed as it appears in the certificate.
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 4fc092c907..a4ce00c0f4 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -7,10 +7,10 @@
href: deploy-whats-new.md
- name: Windows client deployment scenarios
href: windows-10-deployment-scenarios.md
- - name: What is Windows as a service?
- href: update/waas-quick-start.md
- - name: Windows update fundamentals
- href: update/waas-overview.md
+ - name: Quick guide to Windows as a service
+ href: update/waas-quick-start.md
+ - name: Windows as a service overview
+ href: update/waas-overview.md
- name: Monthly quality updates
href: update/quality-updates.md
- name: Basics of Windows updates, channels, and tools
@@ -47,12 +47,12 @@
- name: Define your servicing strategy
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows client updates
- href: do/waas-delivery-optimization.md
+ href: do/waas-delivery-optimization.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
items:
- name: Using a proxy with Delivery Optimization
- href: do/delivery-optimization-proxy.md
+ href: do/delivery-optimization-proxy.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Delivery Optimization client-service communication
- href: do/delivery-optimization-workflow.md
+ href: do/delivery-optimization-workflow.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Windows 10 deployment considerations
href: planning/windows-10-deployment-considerations.md
- name: Windows 10 infrastructure requirements
@@ -80,7 +80,7 @@
- name: Update Baseline
href: update/update-baseline.md
- name: Set up Delivery Optimization for Windows client updates
- href: do/index.yml
+ href: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Configure BranchCache for Windows client updates
href: update/waas-branchcache.md
- name: Prepare your deployment tools
@@ -339,7 +339,7 @@
- name: Additional Windows Update settings
href: update/waas-wu-settings.md
- name: Delivery Optimization reference
- href: do/waas-delivery-optimization-reference.md
+ href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Windows client in S mode
href: s-mode.md
- name: Switch to Windows client Pro or Enterprise from S mode
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index c7cea673bd..65a30e06f7 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -46,3 +46,15 @@ items:
- name: Deployment
tocHref: /windows/client-management/mdm
topicHref: /windows/deployment/
+
+- name: Learn
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: Deployment
+ tocHref: /windows/deployment/do
+ topicHref: /windows/deployment/
\ No newline at end of file
diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml
index 0336d89ddb..5bcf7b6dbe 100644
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@@ -11,14 +11,12 @@
href: waas-delivery-optimization-faq.yml
- name: Configure Delivery Optimization for Windows
items:
- - name: Windows Delivery Optimization settings
- href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
+ - name: Set up Delivery Optimization for Windows
+ href: waas-delivery-optimization-setup.md
- name: Configure Delivery Optimization settings using Microsoft Intune
href: /mem/intune/configuration/delivery-optimization-windows
- name: Resources for Delivery Optimization
items:
- - name: Set up Delivery Optimization for Windows
- href: waas-delivery-optimization-setup.md
- name: Delivery Optimization reference
href: waas-delivery-optimization-reference.md
- name: Delivery Optimization client-service communication
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index ad50cecaaa..4908ba4901 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -285,7 +285,7 @@ This policy allows you to specify how your client(s) can discover Delivery Optim
With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
-Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
+Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
> [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set.
diff --git a/windows/deployment/images/AV-status-by-computer.png b/windows/deployment/images/AV-status-by-computer.png
deleted file mode 100644
index bfae9a3a44..0000000000
Binary files a/windows/deployment/images/AV-status-by-computer.png and /dev/null differ
diff --git a/windows/deployment/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/images/CreateSolution-Part1-Marketplace.png
deleted file mode 100644
index 25793516c2..0000000000
Binary files a/windows/deployment/images/CreateSolution-Part1-Marketplace.png and /dev/null differ
diff --git a/windows/deployment/images/CreateSolution-Part2-Create.png b/windows/deployment/images/CreateSolution-Part2-Create.png
deleted file mode 100644
index ec63f20402..0000000000
Binary files a/windows/deployment/images/CreateSolution-Part2-Create.png and /dev/null differ
diff --git a/windows/deployment/images/CreateSolution-Part3-Workspace.png b/windows/deployment/images/CreateSolution-Part3-Workspace.png
deleted file mode 100644
index 1d74aa39d0..0000000000
Binary files a/windows/deployment/images/CreateSolution-Part3-Workspace.png and /dev/null differ
diff --git a/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png
deleted file mode 100644
index 7a3129f467..0000000000
Binary files a/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png and /dev/null differ
diff --git a/windows/deployment/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/images/CreateSolution-Part5-GoToResource.png
deleted file mode 100644
index c3cb382097..0000000000
Binary files a/windows/deployment/images/CreateSolution-Part5-GoToResource.png and /dev/null differ
diff --git a/windows/deployment/images/ICD.png b/windows/deployment/images/ICD.png
deleted file mode 100644
index 9cfcb845df..0000000000
Binary files a/windows/deployment/images/ICD.png and /dev/null differ
diff --git a/windows/deployment/images/ICDstart-option.PNG b/windows/deployment/images/ICDstart-option.PNG
deleted file mode 100644
index 1ba49bb261..0000000000
Binary files a/windows/deployment/images/ICDstart-option.PNG and /dev/null differ
diff --git a/windows/deployment/images/PoC-big.png b/windows/deployment/images/PoC-big.png
deleted file mode 100644
index de73506071..0000000000
Binary files a/windows/deployment/images/PoC-big.png and /dev/null differ
diff --git a/windows/deployment/images/adk-install.png b/windows/deployment/images/adk-install.png
deleted file mode 100644
index c087d3bae5..0000000000
Binary files a/windows/deployment/images/adk-install.png and /dev/null differ
diff --git a/windows/deployment/images/autopilotworkflow.png b/windows/deployment/images/autopilotworkflow.png
deleted file mode 100644
index a79609f6f7..0000000000
Binary files a/windows/deployment/images/autopilotworkflow.png and /dev/null differ
diff --git a/windows/deployment/images/azureadjoined.png b/windows/deployment/images/azureadjoined.png
deleted file mode 100644
index e1babffb8d..0000000000
Binary files a/windows/deployment/images/azureadjoined.png and /dev/null differ
diff --git a/windows/deployment/images/checkmark.png b/windows/deployment/images/checkmark.png
deleted file mode 100644
index f9f04cd6bd..0000000000
Binary files a/windows/deployment/images/checkmark.png and /dev/null differ
diff --git a/windows/deployment/images/choose-package.png b/windows/deployment/images/choose-package.png
deleted file mode 100644
index 2bf7a18648..0000000000
Binary files a/windows/deployment/images/choose-package.png and /dev/null differ
diff --git a/windows/deployment/images/cleanup.PNG b/windows/deployment/images/cleanup.PNG
deleted file mode 100644
index 783a069a36..0000000000
Binary files a/windows/deployment/images/cleanup.PNG and /dev/null differ
diff --git a/windows/deployment/images/connect-aad.png b/windows/deployment/images/connect-aad.png
deleted file mode 100644
index 8583866165..0000000000
Binary files a/windows/deployment/images/connect-aad.png and /dev/null differ
diff --git a/windows/deployment/images/convert.png b/windows/deployment/images/convert.png
deleted file mode 100644
index 224e763bc0..0000000000
Binary files a/windows/deployment/images/convert.png and /dev/null differ
diff --git a/windows/deployment/images/crossmark.png b/windows/deployment/images/crossmark.png
deleted file mode 100644
index 69432ff71c..0000000000
Binary files a/windows/deployment/images/crossmark.png and /dev/null differ
diff --git a/windows/deployment/images/dc01-cm01-pc0001.png b/windows/deployment/images/dc01-cm01-pc0001.png
deleted file mode 100644
index f6adafdf15..0000000000
Binary files a/windows/deployment/images/dc01-cm01-pc0001.png and /dev/null differ
diff --git a/windows/deployment/images/disk2vhd-convert.PNG b/windows/deployment/images/disk2vhd-convert.PNG
deleted file mode 100644
index f0614a5ab1..0000000000
Binary files a/windows/deployment/images/disk2vhd-convert.PNG and /dev/null differ
diff --git a/windows/deployment/images/downlevel.PNG b/windows/deployment/images/downlevel.PNG
deleted file mode 100644
index dff0ebb02b..0000000000
Binary files a/windows/deployment/images/downlevel.PNG and /dev/null differ
diff --git a/windows/deployment/images/download-media1.png b/windows/deployment/images/download-media1.png
deleted file mode 100644
index ba4c3c2f13..0000000000
Binary files a/windows/deployment/images/download-media1.png and /dev/null differ
diff --git a/windows/deployment/images/downloads.png b/windows/deployment/images/downloads.png
deleted file mode 100644
index 36c45c4a88..0000000000
Binary files a/windows/deployment/images/downloads.png and /dev/null differ
diff --git a/windows/deployment/images/drive.PNG b/windows/deployment/images/drive.PNG
deleted file mode 100644
index fa0970ab02..0000000000
Binary files a/windows/deployment/images/drive.PNG and /dev/null differ
diff --git a/windows/deployment/images/e3-activated.png b/windows/deployment/images/e3-activated.png
deleted file mode 100644
index 7cca73443e..0000000000
Binary files a/windows/deployment/images/e3-activated.png and /dev/null differ
diff --git a/windows/deployment/images/express-settings.png b/windows/deployment/images/express-settings.png
deleted file mode 100644
index 99e9c4825a..0000000000
Binary files a/windows/deployment/images/express-settings.png and /dev/null differ
diff --git a/windows/deployment/images/fig13-captureimage.png b/windows/deployment/images/fig13-captureimage.png
deleted file mode 100644
index 678a43ca73..0000000000
Binary files a/windows/deployment/images/fig13-captureimage.png and /dev/null differ
diff --git a/windows/deployment/images/fig16-contentstatus.png b/windows/deployment/images/fig16-contentstatus.png
deleted file mode 100644
index f48490b97d..0000000000
Binary files a/windows/deployment/images/fig16-contentstatus.png and /dev/null differ
diff --git a/windows/deployment/images/fig17-win10image.png b/windows/deployment/images/fig17-win10image.png
deleted file mode 100644
index d16eee554d..0000000000
Binary files a/windows/deployment/images/fig17-win10image.png and /dev/null differ
diff --git a/windows/deployment/images/fig21-add-drivers.png b/windows/deployment/images/fig21-add-drivers.png
deleted file mode 100644
index f53fe672e2..0000000000
Binary files a/windows/deployment/images/fig21-add-drivers.png and /dev/null differ
diff --git a/windows/deployment/images/figure4-deployment-workbench.png b/windows/deployment/images/figure4-deployment-workbench.png
deleted file mode 100644
index b5d0e7cc32..0000000000
Binary files a/windows/deployment/images/figure4-deployment-workbench.png and /dev/null differ
diff --git a/windows/deployment/images/firstboot.PNG b/windows/deployment/images/firstboot.PNG
deleted file mode 100644
index dfb798c93c..0000000000
Binary files a/windows/deployment/images/firstboot.PNG and /dev/null differ
diff --git a/windows/deployment/images/five.png b/windows/deployment/images/five.png
deleted file mode 100644
index 961f0e15b7..0000000000
Binary files a/windows/deployment/images/five.png and /dev/null differ
diff --git a/windows/deployment/images/four.png b/windows/deployment/images/four.png
deleted file mode 100644
index 0fef213b37..0000000000
Binary files a/windows/deployment/images/four.png and /dev/null differ
diff --git a/windows/deployment/images/icd-create-options-1703.PNG b/windows/deployment/images/icd-create-options-1703.PNG
deleted file mode 100644
index 007e740683..0000000000
Binary files a/windows/deployment/images/icd-create-options-1703.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-create-options.PNG b/windows/deployment/images/icd-create-options.PNG
deleted file mode 100644
index e61cdd8fc0..0000000000
Binary files a/windows/deployment/images/icd-create-options.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-export-menu.png b/windows/deployment/images/icd-export-menu.png
deleted file mode 100644
index 20bd5258eb..0000000000
Binary files a/windows/deployment/images/icd-export-menu.png and /dev/null differ
diff --git a/windows/deployment/images/icd-install.PNG b/windows/deployment/images/icd-install.PNG
deleted file mode 100644
index a0c80683ff..0000000000
Binary files a/windows/deployment/images/icd-install.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-multi-target-true.png b/windows/deployment/images/icd-multi-target-true.png
deleted file mode 100644
index 5fec405fd6..0000000000
Binary files a/windows/deployment/images/icd-multi-target-true.png and /dev/null differ
diff --git a/windows/deployment/images/icd-multi-targetstate-true.png b/windows/deployment/images/icd-multi-targetstate-true.png
deleted file mode 100644
index 7733b9c400..0000000000
Binary files a/windows/deployment/images/icd-multi-targetstate-true.png and /dev/null differ
diff --git a/windows/deployment/images/icd-runtime.PNG b/windows/deployment/images/icd-runtime.PNG
deleted file mode 100644
index d63544e206..0000000000
Binary files a/windows/deployment/images/icd-runtime.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-script1.png b/windows/deployment/images/icd-script1.png
deleted file mode 100644
index 6c17f70809..0000000000
Binary files a/windows/deployment/images/icd-script1.png and /dev/null differ
diff --git a/windows/deployment/images/icd-script2.png b/windows/deployment/images/icd-script2.png
deleted file mode 100644
index 7da2ae7e59..0000000000
Binary files a/windows/deployment/images/icd-script2.png and /dev/null differ
diff --git a/windows/deployment/images/icd-setting-help.PNG b/windows/deployment/images/icd-setting-help.PNG
deleted file mode 100644
index 3f6e5fefa5..0000000000
Binary files a/windows/deployment/images/icd-setting-help.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-settings.PNG b/windows/deployment/images/icd-settings.PNG
deleted file mode 100644
index 8d3ebc3ff6..0000000000
Binary files a/windows/deployment/images/icd-settings.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-simple-edit.png b/windows/deployment/images/icd-simple-edit.png
deleted file mode 100644
index 3608dc18f3..0000000000
Binary files a/windows/deployment/images/icd-simple-edit.png and /dev/null differ
diff --git a/windows/deployment/images/icd-simple.PNG b/windows/deployment/images/icd-simple.PNG
deleted file mode 100644
index 7ae8a1728b..0000000000
Binary files a/windows/deployment/images/icd-simple.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-step1.PNG b/windows/deployment/images/icd-step1.PNG
deleted file mode 100644
index d2ad656d35..0000000000
Binary files a/windows/deployment/images/icd-step1.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-step2.PNG b/windows/deployment/images/icd-step2.PNG
deleted file mode 100644
index 54e70d9193..0000000000
Binary files a/windows/deployment/images/icd-step2.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-step3.PNG b/windows/deployment/images/icd-step3.PNG
deleted file mode 100644
index ecac26f3d6..0000000000
Binary files a/windows/deployment/images/icd-step3.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-step4.PNG b/windows/deployment/images/icd-step4.PNG
deleted file mode 100644
index 8fcfa2863b..0000000000
Binary files a/windows/deployment/images/icd-step4.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-step5.PNG b/windows/deployment/images/icd-step5.PNG
deleted file mode 100644
index 9e96edd812..0000000000
Binary files a/windows/deployment/images/icd-step5.PNG and /dev/null differ
diff --git a/windows/deployment/images/icd-switch.PNG b/windows/deployment/images/icd-switch.PNG
deleted file mode 100644
index e46e48a648..0000000000
Binary files a/windows/deployment/images/icd-switch.PNG and /dev/null differ
diff --git a/windows/deployment/images/lang-pack-1709.png b/windows/deployment/images/lang-pack-1709.png
deleted file mode 100644
index 06ecd72094..0000000000
Binary files a/windows/deployment/images/lang-pack-1709.png and /dev/null differ
diff --git a/windows/deployment/images/license-terms.png b/windows/deployment/images/license-terms.png
deleted file mode 100644
index 8dd34b0a18..0000000000
Binary files a/windows/deployment/images/license-terms.png and /dev/null differ
diff --git a/windows/deployment/images/mbr2gpt-workflow.png b/windows/deployment/images/mbr2gpt-workflow.png
deleted file mode 100644
index f7741cf0c3..0000000000
Binary files a/windows/deployment/images/mbr2gpt-workflow.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-01-fig01.png b/windows/deployment/images/mdt-01-fig01.png
deleted file mode 100644
index d7f8c4e452..0000000000
Binary files a/windows/deployment/images/mdt-01-fig01.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-05-fig01.png b/windows/deployment/images/mdt-05-fig01.png
deleted file mode 100644
index 490f1579d9..0000000000
Binary files a/windows/deployment/images/mdt-05-fig01.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig01.png b/windows/deployment/images/mdt-06-fig01.png
deleted file mode 100644
index 466cfda0f4..0000000000
Binary files a/windows/deployment/images/mdt-06-fig01.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig06.png b/windows/deployment/images/mdt-06-fig06.png
deleted file mode 100644
index 69e2b89c1e..0000000000
Binary files a/windows/deployment/images/mdt-06-fig06.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig07.png b/windows/deployment/images/mdt-06-fig07.png
deleted file mode 100644
index 399fac75f6..0000000000
Binary files a/windows/deployment/images/mdt-06-fig07.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig26.png b/windows/deployment/images/mdt-06-fig26.png
deleted file mode 100644
index fc56839b14..0000000000
Binary files a/windows/deployment/images/mdt-06-fig26.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig36.png b/windows/deployment/images/mdt-06-fig36.png
deleted file mode 100644
index a8350244bd..0000000000
Binary files a/windows/deployment/images/mdt-06-fig36.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig37.png b/windows/deployment/images/mdt-06-fig37.png
deleted file mode 100644
index 5a89f2f431..0000000000
Binary files a/windows/deployment/images/mdt-06-fig37.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-06-fig39.png b/windows/deployment/images/mdt-06-fig39.png
deleted file mode 100644
index 650aec9a30..0000000000
Binary files a/windows/deployment/images/mdt-06-fig39.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-07-fig03.png b/windows/deployment/images/mdt-07-fig03.png
deleted file mode 100644
index c178d6a15d..0000000000
Binary files a/windows/deployment/images/mdt-07-fig03.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-08-fig03.png b/windows/deployment/images/mdt-08-fig03.png
deleted file mode 100644
index e80b242192..0000000000
Binary files a/windows/deployment/images/mdt-08-fig03.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-08-fig05.png b/windows/deployment/images/mdt-08-fig05.png
deleted file mode 100644
index 62ae133bb8..0000000000
Binary files a/windows/deployment/images/mdt-08-fig05.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-08-fig06.png b/windows/deployment/images/mdt-08-fig06.png
deleted file mode 100644
index 97d83a20fb..0000000000
Binary files a/windows/deployment/images/mdt-08-fig06.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-08-fig14.png b/windows/deployment/images/mdt-08-fig14.png
deleted file mode 100644
index 4e5626280a..0000000000
Binary files a/windows/deployment/images/mdt-08-fig14.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-08-fig15.png b/windows/deployment/images/mdt-08-fig15.png
deleted file mode 100644
index 2a8bc4252e..0000000000
Binary files a/windows/deployment/images/mdt-08-fig15.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-10-fig02.png b/windows/deployment/images/mdt-10-fig02.png
deleted file mode 100644
index d9e5930152..0000000000
Binary files a/windows/deployment/images/mdt-10-fig02.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-10-fig03.png b/windows/deployment/images/mdt-10-fig03.png
deleted file mode 100644
index f652db736c..0000000000
Binary files a/windows/deployment/images/mdt-10-fig03.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-10-fig04.png b/windows/deployment/images/mdt-10-fig04.png
deleted file mode 100644
index f98c0501df..0000000000
Binary files a/windows/deployment/images/mdt-10-fig04.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-10-fig07.png b/windows/deployment/images/mdt-10-fig07.png
deleted file mode 100644
index 8613d905a4..0000000000
Binary files a/windows/deployment/images/mdt-10-fig07.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-10-fig08.png b/windows/deployment/images/mdt-10-fig08.png
deleted file mode 100644
index ee00637019..0000000000
Binary files a/windows/deployment/images/mdt-10-fig08.png and /dev/null differ
diff --git a/windows/deployment/images/mdt-copy-image.png b/windows/deployment/images/mdt-copy-image.png
deleted file mode 100644
index a5d172def8..0000000000
Binary files a/windows/deployment/images/mdt-copy-image.png and /dev/null differ
diff --git a/windows/deployment/images/mdt.png b/windows/deployment/images/mdt.png
deleted file mode 100644
index 76a00ee065..0000000000
Binary files a/windows/deployment/images/mdt.png and /dev/null differ
diff --git a/windows/deployment/images/multi-target.png b/windows/deployment/images/multi-target.png
deleted file mode 100644
index fb6ddd7a2d..0000000000
Binary files a/windows/deployment/images/multi-target.png and /dev/null differ
diff --git a/windows/deployment/images/nfc.png b/windows/deployment/images/nfc.png
deleted file mode 100644
index bfee563205..0000000000
Binary files a/windows/deployment/images/nfc.png and /dev/null differ
diff --git a/windows/deployment/images/one.png b/windows/deployment/images/one.png
deleted file mode 100644
index 7766e7d470..0000000000
Binary files a/windows/deployment/images/one.png and /dev/null differ
diff --git a/windows/deployment/images/package-trust.png b/windows/deployment/images/package-trust.png
deleted file mode 100644
index 4a996f23d5..0000000000
Binary files a/windows/deployment/images/package-trust.png and /dev/null differ
diff --git a/windows/deployment/images/package.png b/windows/deployment/images/package.png
deleted file mode 100644
index 535773ad95..0000000000
Binary files a/windows/deployment/images/package.png and /dev/null differ
diff --git a/windows/deployment/images/packages-mobile.png b/windows/deployment/images/packages-mobile.png
deleted file mode 100644
index 4ce63dde78..0000000000
Binary files a/windows/deployment/images/packages-mobile.png and /dev/null differ
diff --git a/windows/deployment/images/pc0001.png b/windows/deployment/images/pc0001.png
deleted file mode 100644
index 839cd3de54..0000000000
Binary files a/windows/deployment/images/pc0001.png and /dev/null differ
diff --git a/windows/deployment/images/sa-evolution.png b/windows/deployment/images/sa-evolution.png
deleted file mode 100644
index a676799be2..0000000000
Binary files a/windows/deployment/images/sa-evolution.png and /dev/null differ
diff --git a/windows/deployment/images/safeos.PNG b/windows/deployment/images/safeos.PNG
deleted file mode 100644
index 88c31087a4..0000000000
Binary files a/windows/deployment/images/safeos.PNG and /dev/null differ
diff --git a/windows/deployment/images/scanos.PNG b/windows/deployment/images/scanos.PNG
deleted file mode 100644
index d53a272018..0000000000
Binary files a/windows/deployment/images/scanos.PNG and /dev/null differ
diff --git a/windows/deployment/images/sec-bios.png b/windows/deployment/images/sec-bios.png
deleted file mode 100644
index 4498497d59..0000000000
Binary files a/windows/deployment/images/sec-bios.png and /dev/null differ
diff --git a/windows/deployment/images/secondboot.PNG b/windows/deployment/images/secondboot.PNG
deleted file mode 100644
index 670fdce7b0..0000000000
Binary files a/windows/deployment/images/secondboot.PNG and /dev/null differ
diff --git a/windows/deployment/images/secondboot2.PNG b/windows/deployment/images/secondboot2.PNG
deleted file mode 100644
index 0034737e90..0000000000
Binary files a/windows/deployment/images/secondboot2.PNG and /dev/null differ
diff --git a/windows/deployment/images/secondboot3.PNG b/windows/deployment/images/secondboot3.PNG
deleted file mode 100644
index c63ef6939d..0000000000
Binary files a/windows/deployment/images/secondboot3.PNG and /dev/null differ
diff --git a/windows/deployment/images/security-update.png b/windows/deployment/images/security-update.png
deleted file mode 100644
index f7ca20f34e..0000000000
Binary files a/windows/deployment/images/security-update.png and /dev/null differ
diff --git a/windows/deployment/images/sign-in-prov.png b/windows/deployment/images/sign-in-prov.png
deleted file mode 100644
index 55c9276203..0000000000
Binary files a/windows/deployment/images/sign-in-prov.png and /dev/null differ
diff --git a/windows/deployment/images/sigverif.png b/windows/deployment/images/sigverif.png
deleted file mode 100644
index 0ed0c2fd0c..0000000000
Binary files a/windows/deployment/images/sigverif.png and /dev/null differ
diff --git a/windows/deployment/images/six.png b/windows/deployment/images/six.png
deleted file mode 100644
index 8bf761ef20..0000000000
Binary files a/windows/deployment/images/six.png and /dev/null differ
diff --git a/windows/deployment/images/spectre-meltdown-prod-closeup.png b/windows/deployment/images/spectre-meltdown-prod-closeup.png
deleted file mode 100644
index c873521feb..0000000000
Binary files a/windows/deployment/images/spectre-meltdown-prod-closeup.png and /dev/null differ
diff --git a/windows/deployment/images/table01.png b/windows/deployment/images/table01.png
deleted file mode 100644
index 2de28e1dd8..0000000000
Binary files a/windows/deployment/images/table01.png and /dev/null differ
diff --git a/windows/deployment/images/three.png b/windows/deployment/images/three.png
deleted file mode 100644
index 887fa270d7..0000000000
Binary files a/windows/deployment/images/three.png and /dev/null differ
diff --git a/windows/deployment/images/trust-package.png b/windows/deployment/images/trust-package.png
deleted file mode 100644
index 8a293ea4da..0000000000
Binary files a/windows/deployment/images/trust-package.png and /dev/null differ
diff --git a/windows/deployment/images/two.png b/windows/deployment/images/two.png
deleted file mode 100644
index b8c2d52eaf..0000000000
Binary files a/windows/deployment/images/two.png and /dev/null differ
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index c77315543a..b132951a59 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -21,3 +21,9 @@ To enroll into Windows Update for Business reports, edit configuration settings,
To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
- [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
+
+**Log Analytics permissions**:
+
+The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
+- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
index 5bdb86a402..70c1948c7a 100644
--- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
+++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
@@ -18,6 +18,7 @@ ms.localizationpriority: medium
- The Azure subscription
- The Log Analytics workspace
1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**.
+ - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts.
> [!Note]
> The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different.
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index ee5da0bb30..b088d43792 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -8,21 +8,18 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 03/15/2023
---
# Migrating and acquiring optional Windows content during updates
-**Applies to**
-
-- Windows 10
-- Windows 11
+***(Applies to: Windows 11 & Windows 10)***
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
-When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update).
+When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
-Neither approach contains the full set of Windows optional features that a user’s device might need, so those features are not migrated to the new operating system. Further, those features are not available in Configuration Manager or WSUS for on-premises acquisition after a feature update
+Neither approach contains the full set of Windows optional features that a user's device might need, so those features aren't migrated to the new operating system. In the past, those features weren't available in Configuration Manager nor WSUS for on-premises acquisition after a feature update.
## What is optional content?
@@ -32,7 +29,7 @@ Optional content includes the following items:
- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
- Local Experience Packs
-Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
+Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
## Why is acquiring optional content challenging?
@@ -40,121 +37,130 @@ The challenges surrounding optional content typically fall into two groups:
### Incomplete operating system updates
-The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user’s disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
+The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user's disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to *move into*. When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
-Windows Setup needs access to the optional content. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.”
+Windows Setup needs access to the optional content. Since optional content isn't in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can't be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to as *failure to migrate optional content during update*. For media-based updates, Windows will automatically try again once the new operating system boots. We call this *latent acquisition*.
### User-initiated feature acquisition failure
-The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, more language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.”
+The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
## Options for acquiring optional content
-Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows client. In this table,
-
-- Migration means it supports optional content migration during an update.
-- Acquisition means it supports optional content acquisition (that is, initiated by the user).
-- Media means it's applicable with media-based deployments.
-- Servicing means applicable with servicing-based deployments.
-
-
-|Method |Migration |Acquisition |Media | Servicing |
-|---------|---------|---------|---------|--------------|
-|Option 1: Use Windows Update | Yes | Yes | No | Yes |
-|Option 2: Enable Dynamic Update | Yes | No | Yes |Yes |
-|Option 3: Customize the Windows image before deployment | Yes | No | Yes |No |
-|Option 4: Install language features during deployment | Partial | No | Yes | No |
-|Option 5: Install optional content after deployment | Yes | No |Yes | Yes |
-|Option 6: Configure alternative source for Features on Demand | No | Partial | Yes | Yes |
+Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you're currently deploying Windows client. The following definitions are used in the table headings:
+- **Migration**: Supports optional content migration during an update.
+- **Acquisition**: Supports optional content acquisition (that is, initiated by the user).
+- **Media**: Applicable with media-based deployments.
+- **Servicing**: Applicable with servicing-based deployments.
+| Method | Migration | Acquisition | Media | Servicing |
+|---|---|---|---|---|
+| Option 1: Use Windows Update | Yes | Yes | No | Yes |
+| Option 2: Use WSUS with UUP Integration | Yes | Yes | No | Yes |
+| Option 3: Enable Dynamic Update | Yes | No | Yes | Yes |
+| Option 4: Customize the Windows image before deployment | Yes | No | Yes | No |
+| Option 5: Install language features during deployment | Partial | No | Yes | No |
+| Option 6: Install optional content after deployment | Yes | No |Yes | Yes |
+| Option 7: Configure alternative source for Features on Demand | No | Partial | Yes | Yes |
### Option 1: Use Windows Update
-Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios "just work" when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
+Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
-Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
+The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
-Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows client device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more info, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, and our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
+Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
-### Option 2: Enable Dynamic Update
-If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
+### Option 2: Use WSUS with UUP Integration
-- Setup updates: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
-- Safe OS updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
-- Servicing stack updates: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update.
-- Latest cumulative update: Installs the latest cumulative quality update.
-- Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
+Starting in March 2023, UUP has been integrated with WSUS and Configuration Manager to bring the same optional content and acquisition benefits of Windows Update to on-premises management solutions. For example:
-In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates will be included and current based on the month that the feature update was approved.
-Starting in Windows 10, version 2004, Dynamic Update can be configured with more options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it was not available during the feature update.
+- Devices that upgrade using a local Windows image but use WSUS or Configuration Manager for approving the combined cumulative update will benefit by having support for optional content acquisition in the updated Windows OS, as well as OS self-healing.
-One further consideration when using Dynamic Update is the affect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
- For devices that aren’t connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
+The content required to enable this will be acquired via WSUS or Configuration Manager, without client endpoints requiring internet connectivity. To enable this improvement, once per major Windows release, a significant download to the WSUS content directory or the distribution point is required. This includes packages to support FOD and language acquisition, along with packages to enable OS self-healing due to corruption. For more information, see [Plan your WSUS deployment](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment).
-### Option 3: Customize the Windows Image before deployment
- For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media.
+### Option 3: Enable Dynamic Update
+
+If you're not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
+
+- **Setup updates**: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
+- **Safe OS updates**: Fixes for the *safe OS* that are used to update Windows recovery environment (WinRE).
+- **Servicing stack updates**: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update.
+- **Latest cumulative update**: Installs the latest cumulative quality update.
+- **Driver updates**: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
+
+In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+
+Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it wasn't available during the feature update.
+
+One further consideration when using Dynamic Update is the effect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Setup downloads Dynamic Update content using Delivery Optimization when available. For devices that aren't connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
+
+### Option 4: Customize the Windows Image before deployment
+
+For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don't have internet connectivity, or the connectivity is poor and so they can't enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media.
You can customize the Windows image in these ways:
-- Applying a cumulative (quality) update
+- Applying a cumulative update
- Applying updates to the servicing stack
-- Applying updates to Setup.exe binaries or other files that Setup uses for feature updates
-- Applying updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
+- Applying updates to `Setup.exe` binaries or other files that setup uses for feature updates
+- Applying updates for the *safe operating system* (SafeOS) that's used for the Windows recovery environment
- Adding or removing languages
- Adding or removing Features on Demand
-The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
-### Option 4: Install language features during deployment
+### Option 5: Install language features during deployment
-A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using `setupconfig.ini`. For more information, see [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview).
-When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
+When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
-This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting.
+This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
-### Option 5: Install optional content after deployment
+### Option 6: Install optional content after deployment
-This option is like Option 3 in that you customize the operating system image with more optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
+This option is like Option 4 in that you customize the operating system image with more optional content after it's deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that's installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 5, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user's device without loss of functionality.
-### Option 6: Configure an alternative source for optional content
+### Option 7: Configure an alternative source for optional content
-Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
+Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the [Specify settings for optional component installation and component repair](/windows/client-management/mdm/policy-csp-admx-servicing#servicing) Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
-- This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
-- If this setting is not configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS).
+- This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
+- If this setting isn't configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
-See [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) for more information.
+For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
## Learn more
For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
+- [Plan your WSUS deployment](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment)
- [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks)
- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
-- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
-- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
-
+- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
+- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
## Sample scripts
-Options 3 and 5 involve the most scripting. Sample scripts for Option 3 already exist, so we’ll look at sample scripts for [Option 5](#option-5-install-optional-content-after-deployment): Install Optional Content after Deployment.
+Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so we'll look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
### Creating an optional content repository
-To get started, we’ll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We’ll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
+To get started, we'll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We'll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
@@ -715,7 +721,7 @@ Log ("Exiting")
### Adding optional content in the target operating system
-After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that’s missing. Then, apply the latest monthly update as a final step.
+After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that's missing. Then, apply the latest monthly update as a final step.
```powershell
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index 4cecd5ccdd..a02c8ece15 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -69,6 +69,7 @@ Use one of the following methods to enroll into Windows Update for Business repo
> [!Tip]
> If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports.
1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**.
+ - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
##### Enroll through the Microsoft 365 admin center
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index 0afb403c8d..fa6514d687 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -30,12 +30,6 @@ Before you begin the process of adding Windows Update for Business reports to yo
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
-**Log Analytics permissions**:
-
-The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
-- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
-
## Operating systems and editions
- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 0b6ed5832d..bfd4b4c563 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -1,6 +1,7 @@
---
title: Configure VDA for Windows subscription activation
description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
+ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
@@ -37,7 +38,7 @@ Deployment instructions are provided for the following scenarios:
### Scenario 1
- The VM is running a supported version of Windows.
-- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH).
+- The VM is hosted in Azure, an authorized outsourcer, or another Qualified Multitenant Hoster (QMTH).
When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 4430523e8a..924489e2c6 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -37,7 +37,7 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 0c4b7973da..a180a874ec 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -45,14 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
-### Windows 10 and later update rings
+### Update rings for Windows 10 or later
-Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices.
+Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
-| Not ready | You have an "update ring" policy that targets all devices, all users, or both.
To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
-| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
|
+| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch will also create our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we'll exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.|
## Azure Active Directory settings
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 329d3a0db4..03a4316178 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 03/14/2023
+ms.date: 03/21/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -54,6 +54,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
| [MC521882](https://admin.microsoft.com/adminportal/home#/MessageCenter) | February 2023 Windows Autopatch baseline configuration update |
+| [MC519904](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch: Configuration Change with End of Servicing for Windows 10 20H2 |
| [MC517330](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Ability to opt out of Microsoft 365 App updates |
| [MC517327](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned service maintenance downtime for European Union (EU) Windows Autopatch customers enrolled before November 8, 2022 |
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index dc1df5efdf..c94b44464a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -370,8 +370,8 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file that is generating the events.
- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
-- **DisplayGenericMessage** Will be a generic message be shown for this file?
-- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file.
+- **DisplayGenericMessage** Will a generic message be shown for this file?
+- **DisplayGenericMessageGated** Indicates whether a generic message will be shown for this file.
- **HardBlock** This file is blocked in the SDB.
- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
@@ -1314,8 +1314,8 @@ The following fields are available:
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The result of the Appraiser diagnostic data run.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false
- **TelementrySent** Indicates whether diagnostic data was successfully sent.
@@ -1560,7 +1560,7 @@ The following fields are available:
- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
-- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition.
- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
@@ -1715,7 +1715,7 @@ The following fields are available:
- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches.
- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
@@ -1807,7 +1807,7 @@ The following fields are available:
- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentFeatureOutOfDate** How many days has it been since the last feature update was released but the device did not install it?
- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
@@ -2099,7 +2099,7 @@ The following fields are available:
- **pendingDecision** Indicates the cause of reboot, if applicable.
- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
- **revisionVersion** The revision number of the security update being uninstalled.
-- **transactionCanceled** Indicates whether the uninstall was cancelled.
+- **transactionCanceled** Indicates whether the uninstall was canceled.
### CbsServicingProvider.CbsQualityUpdateInstall
@@ -2397,7 +2397,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
-This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3091,7 +3091,7 @@ The following fields are available:
- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
- **securityLevel** The cluster parameter: security level.
- **securityLevelForStorage** The cluster parameter: security level for storage.
-- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size shared volumes.
- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
- **upNodeCount** Specifies the number of nodes that are up (online).
- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
@@ -3191,7 +3191,7 @@ This event captures basic checksum data about the device inventory items stored
The following fields are available:
-- **DeviceCensus** A count of devicecensus objects in cache.
+- **DeviceCensus** A count of device census objects in cache.
- **DriverPackageExtended** A count of driverpackageextended objects in cache.
- **FileSigningInfo** A count of file signing objects in cache.
- **InventoryApplication** A count of application objects in cache.
@@ -3204,7 +3204,7 @@ The following fields are available:
- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
- **InventoryDeviceMediaClass** A count of device media objects in cache.
- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
-- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDeviceUsbHubClass** A count of device USB objects in cache
- **InventoryDriverBinary** A count of driver binary objects in cache.
- **InventoryDriverPackage** A count of device objects in cache.
- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache.
@@ -3988,7 +3988,7 @@ The following fields are available:
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
-- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osPlatform** The operating system family within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
@@ -4037,7 +4037,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
@@ -4085,7 +4085,7 @@ The following fields are available:
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
-- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osPlatform** The operating system family within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
@@ -4999,7 +4999,7 @@ The following fields are available:
- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
- **CachedEngineVersion** The engine DLL version that is being used.
- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
- **IsExecutingAction** If the action is presently being executed.
- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
@@ -5033,7 +5033,7 @@ The following fields are available:
- **CachedEngineVersion** The engine DLL version that is being used.
- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **FailedParseActions** The list of actions that were not successfully parsed.
- **ParsedActions** The list of actions that were successfully parsed.
- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
@@ -5077,7 +5077,7 @@ The following fields are available:
- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
- **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
@@ -5147,8 +5147,8 @@ The following fields are available:
- **ClientVersion** Version number of the software distribution client
- **DeviceModel** Device model as defined in the system bios
- **EventInstanceID** A globally unique identifier for event instance
-- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
- **FlightId** The specific id of the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5189,7 +5189,7 @@ The following fields are available:
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was canceled, succeeded, or failed.
- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
@@ -5241,8 +5241,8 @@ The following fields are available:
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** The version number of the software distribution client
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver"
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
- **FileId** A hash that uniquely identifies a file
- **FileName** Name of the downloaded file
@@ -5274,7 +5274,7 @@ The following fields are available:
- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
-- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5307,7 +5307,7 @@ The following fields are available:
- **DeviceModel** The device model.
- **DriverPingBack** Contains information about the previous driver and system state.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
@@ -5675,7 +5675,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5958,7 +5958,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** An ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
@@ -5980,7 +5980,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6002,7 +6002,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6024,7 +6024,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
@@ -6068,7 +6068,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6090,7 +6090,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6112,7 +6112,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -6224,10 +6224,10 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6296,7 +6296,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
The following fields are available:
@@ -6715,7 +6715,7 @@ The following fields are available:
- **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specfic edition of the app being updated.
+- **SkuId** Specific edition of the app being updated.
### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
@@ -7069,7 +7069,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@@ -7379,7 +7379,7 @@ The following fields are available:
- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
- **errorCode** The error code returned for the current process.
-- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **interactive** Indicates whether the user initiated the session.
- **networkStatus** Indicates if the device is connected to the internet.
@@ -7410,7 +7410,7 @@ This event indicates the reboot was postponed due to needing a display. The data
The following fields are available:
- **displayNeededReason** Reason the display is needed.
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
@@ -7528,7 +7528,7 @@ This event indicates that an enabled GameMode process prevented the device from
The following fields are available:
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update.
- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -7632,13 +7632,13 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. The data collected with this event is used to help keep Windows secure and up to date.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after an update is installed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **powermenuNewOptions** The new options after the power menu changed.
- **powermenuOldOptions** The old options before the power menu changed.
-- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
+- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to an update, this indicates how long that reboot has been pending.
- **wuDeviceid** The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
@@ -8122,7 +8122,7 @@ The following fields are available:
- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
@@ -8145,7 +8145,7 @@ The following fields are available:
- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **EditionIdUpdated** Determine whether EditionId was changed.
- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **ProductEditionId** Expected EditionId value based on GetProductInfo.
- **ProductType** Value returned by GetProductInfo.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index b0975595c9..46a32b7e45 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -5475,7 +5475,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index c1efb0d547..2b7ee3b4fa 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -5877,7 +5877,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index a001e395da..5b73a85111 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -5212,7 +5212,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 621663aecd..bb59a07821 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -109,7 +109,7 @@ sections:
- The PIN 9630 has a constant delta of (7,7,7), so it isn't allowed
- The PIN 1593 has a constant delta of (4,4,4), so it isn't allowed
- The PIN 7036 has a constant delta of (3,3,3), so it isn't allowed
- - The PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed
+ - The PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed
- The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed
This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs.
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index e9af1d83a5..4e7d339c66 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -33,7 +33,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
@@ -125,4 +125,4 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
+- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index e82434467c..98746150c6 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -194,7 +194,12 @@ The most common values:
| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. |
-- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event:
+- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation.
+Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags:
+- 0x01: Audit SPN unknown errors.
+- 0x10: Log audit events on encryption type (ETYPE) and bad options errors.
+
+The table below contains the list of the most common error codes for this event:
| Code | Code Name | Description | Possible causes |
|------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 09f6cce05f..4f36792ed9 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -23,6 +23,9 @@ ms.topic: article
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md).
+> [!NOTE]
+> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
+
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index ba53584a0f..dbb586c517 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -5,14 +5,14 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.localizationpriority: high
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.technology: itpro-security
adobe-target: true
-ms.collection:
+ms.collection:
- tier2
- highpri
-ms.date: 12/31/2017
+ms.date: 03/20/2023
ms.topic: article
---
@@ -29,13 +29,11 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
-
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
**Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-
- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
## Benefits of Microsoft Defender SmartScreen
@@ -43,15 +41,10 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/).
-
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
-
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
-
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
-
- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
-
- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
@@ -61,14 +54,14 @@ Microsoft Defender SmartScreen provide an early warning system against websites
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
-When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
+When submitting a file for Microsoft Defender SmartScreen, make sure to select **Microsoft Defender SmartScreen** from the product menu.
## Viewing Microsoft Defender SmartScreen anti-phishing events
> [!NOTE]
-> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
+> No SmartScreen events are logged when using Microsoft Edge version 77 or later.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 0b5ca8e152..97e80da5c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -1,109 +1,124 @@
---
-title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows)
-description: Using Windows Defender Application Control (WDAC) supplemental policies, you can expand the S mode base policy on your Intune-managed devices.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+title: Allow LOB Win32 apps on Intune-managed S Mode devices
+description: Using Windows Defender Application Control (WDAC) supplemental policies, you can expand the S Mode base policy on your Intune-managed devices.
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: jsuther1974
ms.reviewer: isbrahm
ms.author: vinpa
manager: aaroncz
ms.date: 10/30/2019
ms.technology: itpro-security
-ms.topic: article
+ms.topic: how-to
---
-# Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices
+# Allow line-of-business Win32 apps on Intune-managed S Mode devices
**Applies to:**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
-Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices.
+You can use Microsoft Intune to deploy and run critical Win32 applications and Windows components that are normally blocked in S mode on their Intune-managed Windows in S mode devices. For example, PowerShell.exe.
-With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
+With Intune, you can configure managed S mode devices using a Windows Defender Application Control supplemental policy that expands the S mode base policy to authorize the apps your organization uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
+
+For an overview and brief demo of this feature, see this video:
-Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
-## Policy Authorization Process
-
-The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
+## Policy authorization process
-1. Generate a supplemental policy with Windows Defender Application Control tooling
+
- This policy will expand the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
-
- Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy.
+The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, before deploying the policy more broadly, assign it to a single test S-mode device to verify expected functioning.
- Below are a basic set of instructions for creating an S mode supplemental policy:
- - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
+1. Generate a supplemental policy with Windows Defender Application Control tooling.
+
+ This policy expands the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy is allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
+
+ For more information on creating supplemental policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). For more information on the right type of rules to create for your policy, see [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md).
+
+ The following instructions are a basic set for creating an S mode supplemental policy:
+
+ - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true).
```powershell
New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash
```
- - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true)
+
+ - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true).
```powershell
Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "\SupplementalPolicy.xml"
```
- Policies that are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this ID is the S mode policy ID.
- - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true)
+
+ For policies that supplement the S mode base policy, use `-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784`. This ID is the S mode policy ID.
+
+ - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true).
```powershell
- Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete
+ Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 -Delete
```
+
This command deletes the 'audit mode' qualifier.
- - Since you'll be signing your policy, you must authorize the signing certificate you'll use to sign the policy and optionally one or more extra signers that can be used to sign updates to the policy in the future. For more information, see Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the Windows Defender Application Control policy:
-
+
+ - Since you're signing your policy, you must authorize the signing certificate you use to sign the policy. Optionally, also authorize one or more extra signers that can be used to sign updates to the policy in the future. The next step in the overall process, **Sign the policy**, describes it in more detail.
+
+ To add the signing certificate to the Windows Defender Application Control policy, use [Add-SignerRule](/powershell/module/configci/add-signerrule?view=win10-ps&preserve-view=true).
+
```powershell
Add-SignerRule -FilePath -CertificatePath -User -Update
```
- - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true)
+
+ - Convert to `.bin` using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true).
```powershell
ConvertFrom-CIPolicy -XmlFilePath "\SupplementalPolicy.xml" -BinaryFilePath "\SupplementalPolicy.bin>
```
-2. Sign policy
-
- Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service (DGSS) or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
+2. Sign the policy.
- Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML.
+ Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
-3. Deploy the signed supplemental policy using Microsoft Intune
+ > [!TIP]
+ > For more information, see [Azure Code Signing, democratizing trust for developers and consumers](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669).
- Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these tokens and policies expand the S mode base policy on the device.
+ After you've signed it, rename your policy to `{PolicyID}.p7b`. Get the **PolicyID** from the supplemental policy XML.
-> [!Note]
-> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
+3. Deploy the signed supplemental policy using Microsoft Intune.
-## Standard Process for Deploying Apps through Intune
-
-Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment.
+ Go to the Microsoft Intune portal, go to the Client apps page, and select **S mode supplemental policies**. Upload the signed policy to Intune and assign it to user or device groups. Intune generates authorization tokens for the tenant and specific devices. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these tokens and policies expand the S mode base policy on the device.
-## Optional: Process for Deploying Apps using Catalogs
-
-Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
+> [!NOTE]
+> When you update your supplemental policy, make sure that the new version number is strictly greater than the previous one. Intune doesn't allow using the same version number. For more information on setting the version number, see [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true).
-Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) by using signed catalogs. This functionality works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
+## Standard process for deploying apps through Intune
-The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. For more information on generating catalogs, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
+
-> [!Note]
-> Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own.
+For more information on the existing procedure of packaging signed catalogs and app deployment, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
+
+## Optional: Process for deploying apps using catalogs
+
+
+
+Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that authorizes all apps signed by that certificate, which may include apps you don't want to allow as well.
+
+Instead of authorizing signers external to your organization, Intune has functionality to make it easier to authorize existing applications by using signed catalogs. This feature doesn't require repackaging or access to the source code. It works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
+
+The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown above in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined above. For more information on generating catalogs, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
+
+> [!NOTE]
+> Every time an app updates, you need to deploy an updated catalog. Try to avoid using catalog files for applications that auto-update, and direct users not to update applications on their own.
## Sample policy
-Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Registry Editor. It also demonstrates how to specify your organization's code signing and policy signing certificates.
+
+The following policy is a sample that allows kernel debuggers, PowerShell ISE, and Registry Editor. It also demonstrates how to specify your organization's code signing and policy signing certificates.
+
```xml
@@ -147,7 +162,7 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
-
+
@@ -185,10 +200,12 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
```
-## Policy removal
-In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group that received the policy, which will trigger a removal of both the policy and the authorization token from the device.
-IT Pros also have the choice of deleting a supplemental policy through Intune.
+## Policy removal
+
+In order to revert users to an unmodified S mode policy, remove a user or users from the targeted Intune group that received the policy. This action triggers a removal of both the policy and the authorization token from the device.
+
+You can also delete a supplemental policy through Intune.
```xml
@@ -242,4 +259,5 @@ IT Pros also have the choice of deleting a supplemental policy through Intune.
```
## Errata
+
If an S-mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active.
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index eda6b8332a..2dfbaefa4f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -96,8 +96,6 @@
href: deploy-catalog-files-to-support-windows-defender-application-control.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- - name: "Optional: Use the Device Guard Signing Service v2"
- href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- name: "Optional: Create a code signing cert for WDAC"
href: create-code-signing-cert-for-windows-defender-application-control.md
- name: Disable WDAC policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 73d75a96d8..e49832fb80 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -1,15 +1,9 @@
---
-title: Deploy catalog files to support Windows Defender Application Control (Windows)
+title: Deploy catalog files to support Windows Defender Application Control
description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-ms.topic: conceptual
+ms.topic: how-to
author: jsuther1974
ms.reviewer: jgeurten
ms.author: vinpa
@@ -22,27 +16,27 @@ ms.technology: itpro-security
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and later
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
-You'll need to [obtain a code signing certificate for your own use](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
+You need to [obtain a code signing certificate for your own use](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
-Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files will be able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code (most malware is unsigned).
+Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files are able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code, because most malware is unsigned.
## Create catalog files using Package Inspector
To create a catalog file for an existing app, you can use a tool called **Package Inspector** that comes with Windows.
-1. Apply a WDAC policy in **audit mode** to the computer where you'll run Package Inspector. Package Inspector will use audit events to include hashes in the catalog file for any temporary installation files that are added and then removed from the computer during the installation process. The audit mode policy should **not** allow the app's binaries or you may miss some critical files that are needed in the catalog file.
+1. Apply a policy in **audit mode** to the computer where you run Package Inspector. Package Inspector uses audit events to include hashes in the catalog file for any temporary installation files that are added and then removed from the computer during the installation process. The audit mode policy should **not** allow the app's binaries or you may miss some critical files that are needed in the catalog file.
> [!NOTE]
- > You won't be able to complete this process if it's done on a system with an enforced WDAC policy, unless the enforced policy already allows the app to run.
+ > You won't be able to complete this process if it's done on a system with an enforced policy, unless the enforced policy already allows the app to run.
You can use this PowerShell sample to make a copy of the DefaultWindows_Audit.xml template:
@@ -52,9 +46,9 @@ To create a catalog file for an existing app, you can use a tool called **Packag
$PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip"
```
- Then apply the policy as described in [Deploy WDAC policies with script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script).
+ Then apply the policy as described in [Deploy Windows Defender Application Control policies with script](deployment/deploy-wdac-policies-with-script.md).
-2. Start Package Inspector to monitor file creation on a **local drive** where you'll install the app, for example, drive C:
+2. Start Package Inspector to monitor file creation on a **local drive** where you install the app, for example, drive C:
```powershell
PackageInspector.exe Start C:
@@ -73,11 +67,11 @@ To create a catalog file for an existing app, you can use a tool called **Packag
7. Close and reopen the application to ensure that the scan has captured all binaries.
-8. As appropriate, with Package Inspector still running, repeat the steps above for any other apps that you want to include in the catalog.
+8. As appropriate, with Package Inspector still running, repeat the previous steps for any other apps that you want to include in the catalog.
-9. When you've confirmed that the previous steps are complete, use the following commands to stop Package Inspector. A catalog file and catalog definition file will be created in the specified location. Use a naming convention for your catalog files to make it easier to manage your deployed catalog files over time. The filenames used in this example are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file).
+9. When you've confirmed that the previous steps are complete, use the following commands to stop Package Inspector. It creates a catalog file and catalog definition file in the specified location. Use a naming convention for your catalog files to make it easier to manage your deployed catalog files over time. The filenames used in this example are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file).
- For the last command, which stops Package Inspector, be sure to specify the same local drive you've been watching with Package Inspector, for example, C:.
+ For the last command, which stops Package Inspector, be sure to specify the same local drive you've been watching with Package Inspector, for example, `C:`.
```powershell
$ExamplePath=$env:userprofile+"\Desktop"
@@ -86,36 +80,28 @@ To create a catalog file for an existing app, you can use a tool called **Packag
PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName
```
->[!NOTE]
->Package Inspector catalogs the hash values for each discovered file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
+> [!NOTE]
+> Package Inspector catalogs the hash values for each discovered file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
-When finished, the files will be saved to your desktop. You can view the \*.cdf file with a text editor and see what files were included by Package Inspector. You can also double-click the \*.cat file to see its contents and check for a specific file hash.
+When finished, the tool saves the files to your desktop. You can view the `*.cdf` file with a text editor and see what files Package Inspector included. You can also double-click the `*.cat` file to see its contents and check for a specific file hash.
-## Sign your Catalog file
+## Sign your catalog file
Now that you've created a catalog file for your app, you're ready to sign it.
-### Catalog signing with Device Guard Signing Service v2 (DGSS)
-
-If you have an existing Microsoft Store for Business and Education account, you can use the DGSS to sign your catalog files. See [Submit-SigningJob](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#submit-signingjob).
-
### Catalog signing with SignTool.exe
If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can use SignTool.exe to sign your catalog files.
-
-
- Expand this section for detailed instructions on signing catalog files with signtool.exe.
-
You need:
-- SignTool.exe, found in the [Windows software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)
-- The catalog file that you created earlier
-- A code signing certificate issued from an internal certificate authority (CA) or a purchased code signing certificate
+- SignTool.exe, found in the [Windows software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/).
+- The catalog file that you created earlier.
+- A code signing certificate issued from an internal certificate authority (CA) or a purchased code signing certificate.
-Import the code signing certificate that will be used to sign the catalog file into the signing user's personal store. Then, sign the existing catalog file by copying each of the following commands into an elevated Windows PowerShell session.
+For the code signing certificate that you use to sign the catalog file, import it into the signing user's personal store. Then, sign the existing catalog file by copying each of the following commands into an elevated Windows PowerShell session.
-1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed:
+1. Initialize the variables to use. Replace the `$ExamplePath` and `$CatFileName` variables as needed:
```powershell
$ExamplePath=$env:userprofile+"\Desktop"
@@ -128,38 +114,30 @@ Import the code signing certificate that will be used to sign the catalog file i
sign /n "ContosoSigningCert" /fd sha256 /v $CatFileName
```
- >[!NOTE]
- >The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
+ > [!NOTE]
+ > The `` variable should be the full path to the Signtool.exe utility. `ContosoSigningCert` represents the subject name of the certificate that you use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
>
- >For additional information about Signtool.exe and all additional switches, visit the [Sign Tool page](/dotnet/framework/tools/signtool-exe).
+ > For more information about Signtool.exe and all additional switches, see [Sign Tool](/dotnet/framework/tools/signtool-exe).
3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
- Figure 1. Verify that the signing certificate exists
-
-
+ Figure 1. Verify that the signing certificate exists.
## Deploy the catalog file to your managed endpoints
-Catalog files in Windows are stored under ***%windir%\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}***.
+Catalog files in Windows are stored under `%windir%\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}`.
-For testing purposes, you can manually copy signed catalog files to the folder above. For large-scale deployment of signed catalog files, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Configuration Manager.
+For testing purposes, you can manually copy signed catalog files to this folder. For large-scale deployment of signed catalog files, use group policy file preferences or an enterprise systems management product such as Microsoft Configuration Manager.
-### Deploy catalog files with Group Policy
+### Deploy catalog files with group policy
-To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization.
+To simplify the management of catalog files, you can use group policy preferences to deploy catalog files to the appropriate computers in your organization.
-
-
-Expand this section for detailed instructions on deploying catalog files using Group Policy.
+The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called **WDAC Enabled PCs** with a GPO called **Contoso Catalog File GPO Test**.
-The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called WDAC Enabled PCs with a GPO called **Contoso Catalog File GPO Test**.
-
-**To deploy a catalog file with Group Policy:**
-
-1. From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
+1. From either a domain controller or a client computer that has Remote Server Administration Tools installed, open the Group Policy Management Console by running **GPMC.MSC** or by searching for Group Policy Management.
2. Create a new GPO: right-click an OU, for example, the **WDAC Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
@@ -168,33 +146,33 @@ The following process walks you through the deployment of a signed catalog file
- Figure 2. Create a new GPO
+ Figure 2. Create a new GPO.
3. Give the new GPO a name, for example, **Contoso Catalog File GPO Test**, or any name you prefer.
4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**.
-5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
+5. Within the selected GPO, navigate to **Computer Configuration\\Preferences\\Windows Settings\\Files**. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
- Figure 3. Create a new file
+ Figure 3. Create a new file.
6. Configure the catalog file share.
- To use this setting to provide consistent deployment of your catalog file (in this example, LOBApp-Contoso.cat), the source file should be on a share that is accessible to the computer account of every deployed computer. This example uses a share (on a computer running Windows 10) called \\\\Contoso-Win10\\Share. The catalog file being deployed is copied to this share.
+ To use this setting to provide consistent deployment of your catalog file (in this example, LOBApp-Contoso.cat), the source file should be on a share that is accessible to the computer account of every deployed computer. This example uses a share on a computer running Windows 10 called `\\Contoso-Win10\Share`. The catalog file being deployed is copied to this share.
-7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used.
+7. To keep versions consistent, in the **New File Properties** dialog box as shown in Figure 4, select **Replace** from the **Action** list so that the newest version is always used.
- Figure 4. Set the new file properties
+ Figure 4. Set the new file properties.
-8. In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included (for example, \\\\Contoso-Win10\\share\\LOBApp-Contoso.cat).
+8. In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included. For example, `\\Contoso-Win10\share\LOBApp-Contoso.cat`.
9. In the **Destination File** box, type a path and file name, for example:
- **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat**
+ `C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\LOBApp-Contoso.cat`
For the catalog file name, use the name of the catalog you're deploying.
@@ -202,22 +180,16 @@ The following process walks you through the deployment of a signed catalog file
11. Select **OK** to complete file creation.
-12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10 or Windows 11, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10.
-
-
+12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10 or Windows 11, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in `C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}` on the computer running Windows 10.
### Deploy catalog files with Microsoft Configuration Manager
-As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes.
-
-
-
-Expand this section for detailed instructions on deploying catalog files using Configuration Manager.
+As an alternative to group policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes.
Complete the following steps to create a new deployment package for catalog files:
->[!NOTE]
->The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection-specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
+> [!NOTE]
+> The following example uses a network share named `\\Shares\CatalogShare` as a source for the catalog files. If you have collection-specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
1. Open the Configuration Manager console, and select the Software Library workspace.
@@ -227,24 +199,28 @@ Complete the following steps to create a new deployment package for catalog file
- Figure 5. Specify information about the new package
+ Figure 5. Specify information about the new package.
4. Select **Next**, and then select **Standard program** as the program type.
-5. On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**.
+5. On the **Standard Program** page, select a name, and then set the **Command Line** property to the following command:
-6. On the **Standard Program** page, select the following options (Figure 6):
+ ```cmd
+ XCopy \\Shares\CatalogShare C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y
+ ```
+
+6. On the **Standard Program** page, select the following options, as shown in Figure 6:
- In **Name**, type a name such as **Contoso Catalog File Copy Program**.
- In **Command line**, browse to the program location.
- - In **Startup folder**, type **C:\\Windows\\System32**.
+ - In **Startup folder**, type `C:\Windows\System32`.
- From the **Run** list, select **Hidden**.
- From the **Program can run** list, select **Whether or not a user is logged on**.
- From the **Drive mode** list, select **Runs with UNC name**.
- Figure 6. Specify information about the standard program
+ Figure 6. Specify information about the standard program.
7. Accept the defaults for the rest of the wizard, and then close the wizard.
@@ -252,9 +228,9 @@ After you create the deployment package, deploy it to a collection so that the c
1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then select **Deploy**.
-2. On the **General** page, select the test collection to which the catalog files will be deployed, and then select **Next**.
+2. On the **General** page, select the test collection, and then select **Next**.
-3. On the **Content** page, select **Add** to select the distribution point that will serve content to the selected collection, and then select **Next**.
+3. On the **Content** page, select **Add** to select the distribution point to serve content to the selected collection, and then select **Next**.
4. On the **Deployment Settings** page, select **Required** in the **Purpose** box.
@@ -264,7 +240,7 @@ After you create the deployment package, deploy it to a collection so that the c
7. On the **Scheduling** page, select **Next**.
-8. On the **User Experience** page (Figure 7), set the following options, and then select **Next**:
+8. On the **User Experience** page as shown in Figure 7, set the following options, and then select **Next**:
- Select the **Software installation** check box.
@@ -272,7 +248,7 @@ After you create the deployment package, deploy it to a collection so that the c
- Figure 7. Specify the user experience
+ Figure 7. Specify the user experience.
9. On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then select **Next**.
@@ -280,20 +256,14 @@ After you create the deployment package, deploy it to a collection so that the c
11. Close the wizard.
-
-
#### Inventory catalog files with Microsoft Configuration Manager
-When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager.
-
-
-
-Expand this section for detailed instructions on inventorying catalog files using Configuration Manager.
+When catalog files have been deployed to the computers within your environment, whether by using group policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager.
You can configure software inventory to find catalog files on your managed systems by creating and deploying a new client settings policy.
->[!NOTE]
->A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
+> [!NOTE]
+> A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
1. Open the Configuration Manager console, and select the Administration workspace.
@@ -303,26 +273,26 @@ You can configure software inventory to find catalog files on your managed syste
- Figure 8. Select custom settings
+ Figure 8. Select custom settings.
4. In the navigation pane, select **Software Inventory**, and then select **Set Types**, as shown in Figure 9.
- Figure 9. Set the software inventory
+ Figure 9. Set the software inventory.
5. In the **Configure Client Setting** dialog box, select the **Start** button to open the **Inventories File Properties** dialog box.
-6. In the **Name** box, type a name such as **\*Contoso.cat**, and then select **Set**.
+6. In the **Name** box, type a name such as `*Contoso.cat`, and then select **Set**.
- >[!NOTE]
- >When typing the name, follow your naming convention for catalog files.
+ > [!NOTE]
+ > When typing the name, follow your naming convention for catalog files.
-7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
+7. In the **Path Properties** dialog box, select **Variable or path name**, and then type `C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}` in the box, as shown in Figure 10.
- Figure 10. Set the path properties
+ Figure 10. Set the path properties.
8. Select **OK**.
@@ -338,45 +308,37 @@ At the time of the next software inventory cycle, when the targeted clients rece
4. In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files.
->[!NOTE]
->If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
-
-
+> [!NOTE]
+> If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
## Allow apps signed by your catalog signing certificate in your WDAC policy
-Now that you have your signed catalog file, you can add a signer rule to your WDAC policy that will allow anything signed with that certificate. If you haven't yet created a WDAC policy, see [WDAC Design Guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide).
+Now that you have your signed catalog file, you can add a signer rule to your policy that allows anything signed with that certificate. If you haven't yet created a WDAC policy, see the [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md).
-
-
-Expand this section for detailed instructions on creating a signer rule for your catalog signer.
-
-On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the sample below.
+On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the following sample:
```powershell
$Rules = New-CIPolicyRule -DriverFilePath -Level Publisher
- Merge-CIPolicy -OutputFilePath -PolicyPaths -Rules $Rules
+ Merge-CIPolicy -OutputFilePath -PolicyPaths -Rules $Rules
```
-Alternatively, you can use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add a signer rule to your WDAC policy from the certificate file (.cer). You can easily save the .cer file from your signed catalog file.
+Alternatively, you can use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add a signer rule to your policy from the certificate file (.cer). You can easily save the .cer file from your signed catalog file.
1. Right-click the catalog file, and then select **Properties**.
2. On the **Digital Signatures** tab, select the signature from the list and then select **Details**.
3. Select **View Certificate** to view the properties of the leaf certificate.
-4. Select the **Details** tab and select **Copy to File** which will run the Certificate Export Wizard.
+4. Select the **Details** tab and select **Copy to File**. This action runs the Certificate Export Wizard.
5. Complete the wizard using the default option for **Export File Format** and specifying a location and file name to save the .cer file.
> [!NOTE]
-> The steps listed above will select the lowest level of the certificate chain (the "leaf" certificate). Instead, you can choose to use the certificate's intermediate or root issuer certificate. To use a different certificate in the chain, switch to the **Certification Path** tab after step 3 above, then select the certificate level you want to use and select **View Certificate**. Then complete the remaining steps.
+> These steps select the lowest level of the certificate chain, also called the "leaf" certificate. Instead, you can choose to use the certificate's intermediate or root issuer certificate. To use a different certificate in the chain, switch to the **Certification Path** tab after step 3 above, then select the certificate level you want to use and select **View Certificate**. Then complete the remaining steps.
-The following example uses the .cer file to add a signer rule to both the user and kernel mode signing scenarios. Be sure to replace the path values in the sample below.
+The following example uses the .cer file to add a signer rule to both the user and kernel mode signing scenarios. Be sure to replace the path values in the following sample:
```powershell
- Add-SignerRule -FilePath -CertificatePath -User -Kernel
+ Add-SignerRule -FilePath -CertificatePath -User -Kernel
```
-
-
## Known issues using Package Inspector
Some of the known issues using Package Inspector to build a catalog file are:
@@ -386,14 +348,14 @@ Some of the known issues using Package Inspector to build a catalog file are:
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:
`fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- The above command should return an error if the older USNs don't exist anymore due to overflow
- - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` will show the current size and allocation delta, so using a multiple of that may help
+ - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help
- **CodeIntegrity - Operational event log is too small to track all files created by the installer**
- To diagnose whether Eventlog size is the issue, after running through Package Inspector:
- Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch.
- To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values
- **Installer or app files that change hash each time the app is installed or run**
- - Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package won't work with Package Inspector.
+ - Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package doesn't work with Package Inspector.
- **Files with an invalid signature blob or otherwise "unhashable" files**
- This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec.
- - Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your WDAC policy that uses the file's flat file hash.
+ - Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your policy that uses the file's flat file hash.
- This issue affects some versions of InstallShield packages that use signed DLL files in custom actions. InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state.
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 9e1561c2d8..3bd14575c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -1,15 +1,9 @@
---
-title: Example Windows Defender Application Control (WDAC) base policies (Windows)
-description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
-keywords: security, malware
-ms.topic: article
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+title: Example Windows Defender Application Control base policies
+description: When creating a Windows Defender Application Control (WDAC) policy for an organization, start from one of the many available example base policies.
+ms.topic: reference
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
@@ -18,7 +12,7 @@ ms.date: 03/16/2023
ms.technology: itpro-security
---
-# Windows Defender Application Control (WDAC) example base policies
+# Windows Defender Application Control example base policies
**Applies to:**
@@ -26,12 +20,10 @@ ms.technology: itpro-security
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
-When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service.
-
-## Example Base Policies
+When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use.
| **Example Base Policy** | **Description** | **Where it can be found** |
|-------------------------|---------------------------------------------------------------|--------|
@@ -40,13 +32,12 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
-| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
-| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
-| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml |
+| **Microsoft Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml |
| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml |
| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using WDAC, if possible. | [Microsoft recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_UserMode_Blocklist.xml |
| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
%OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_Driver_Blocklist.xml |
-| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/en-us/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSiPolicy.xml.xml |
+| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSiPolicy.xml.xml |
| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSEPolicy.xml.xml |
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 2fb47fdf33..5984fefcc0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -96,7 +96,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
-| **RootCertificate** | This level may produce an overly permissive policy and isn't recommended for most use cases. |
+| **RootCertificate** | Not supported. |
| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index e73d92001f..32b34dfe20 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -1,14 +1,8 @@
---
title: Use code signing for added control and protection with WDAC
-description: Code signing can be used to better control win32 app authorization and add protection for your WDAC policies.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+description: Code signing can be used to better control Win32 app authorization and add protection for your Windows Defender Application Control (WDAC) policies.
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
ms.topic: conceptual
author: jsuther1974
ms.reviewer: jogeurte
@@ -18,7 +12,7 @@ ms.date: 11/29/2022
ms.technology: itpro-security
---
-# Use code signing for added control and protection with WDAC
+# Use code signing for added control and protection with Windows Defender Application Control
**Applies to:**
@@ -27,11 +21,11 @@ ms.technology: itpro-security
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
## What is code signing and why is it important?
-Code signing provides some important benefits to application security features like Windows Defender Application Control (WDAC). First, it allows the system to cryptographically verify that a file hasn't been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. This identity can make your WDAC policy trust decisions easier and allows for real-world consequences when code signing is abused or used maliciously. Although Windows doesn't require software developers to digitally sign their code, most major independent software vendors (ISV) do use code signing for much of their code. And metadata that a developer includes in a file's resource header (.RSRC), such as OriginalFileName or ProductName, can be combined with the file's signing certificate to limit the scope of trust decisions. For example, instead of allowing everything signed by Microsoft, you can choose to allow only files signed by Microsoft where ProductName is "Microsoft Teams". Then use other rules to authorize any other files that need to run.
+Code signing provides some important benefits to application security features like Windows Defender Application Control (WDAC). First, it allows the system to cryptographically verify that a file hasn't been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. This identity can make your policy trust decisions easier and allows for real-world consequences when code signing is abused or used maliciously. Although Windows doesn't require software developers to digitally sign their code, most major independent software vendors (ISV) do use code signing for much of their code. And metadata that a developer includes in a file's resource header (.RSRC), such as OriginalFileName or ProductName, can be combined with the file's signing certificate to limit the scope of trust decisions. For example, instead of allowing everything signed by Microsoft, you can choose to allow only files signed by Microsoft where ProductName is "Microsoft Teams". Then use other rules to authorize any other files that need to run.
Wherever possible, you should require all app binaries and scripts are code signed as part of your app acceptance criteria. And, you should ensure that internal line-of-business (LOB) app developers have access to code signing certificates controlled by your organization.
@@ -48,9 +42,9 @@ To learn how to create and manage catalog files for existing apps, see [Deploy c
## Signed WDAC policies
-While a WDAC policy begins as an XML document, it's then converted into a binary-encoded file before deployment. This binary version of your WDAC policy can be code signed like any other application binary, offering many of the same benefits as described above for signed code. Additionally, signed policies are treated specially by WDAC and help protect against tampering or removal of a WDAC policy even by an admin user.
+While a WDAC policy begins as an XML document, it's then converted into a binary-encoded file before deployment. This binary version of your policy can be code signed like any other application binary, offering many of the same benefits as described above for signed code. Additionally, signed policies are treated specially by WDAC and help protect against tampering or removal of a policy even by an admin user.
-For more information on using signed WDAC policies, see [Use signed policies to protect WDAC against tampering](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering)
+For more information on using signed policies, see [Use signed policies to protect Windows Defender Application Control against tampering](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering)
## Obtain code signing certificates for your own use
@@ -58,5 +52,4 @@ Some ways to obtain code signing certificates for your own use, include:
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
-- Customers with existing Microsoft Store for Business and Education accounts can continue to use the ["Device Guard signing service v2"](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business).
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
deleted file mode 100644
index 6e3ec4c7fb..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ /dev/null
@@ -1,188 +0,0 @@
----
-title: Use the Device Guard Signing Service v2 (Windows)
-description: You can sign catalog files and WDAC policies with the Device Guard signing service.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.topic: conceptual
-author: jsuther1974
-ms.reviewer: jogeurte
-manager: aaroncz
-ms.date: 11/30/2022
-ms.technology: itpro-security
----
-
-# Optional: Use the Device Guard Signing Service v2
-
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
->
-> You can continue to use the current Device Guard Signing Service v2 (DGSS) capabilities until that time. DGSS will be replaced by the [Azure Code Signing service (ACS)](https://aka.ms/AzureCodeSigning) and will support your Windows Defender Application Control (WDAC) policy and catalog file signing needs.
-
-The Device Guard Signing Service v2 (DGSS) is a code signing service that comes with your existing Microsoft Store for Business and Education tenant account. You can use the DGSS to sign catalog files and Windows Defender Application Control (WDAC) policies.
-
-## Set up permissions for DGSS signing in the Microsoft Store for Business and Education
-
-To use DGSS, you need to assign yourself a role with the right permissions. The least privileged role with DGSS signing privilege is the **Device Guard signer** role. **Global Administrator** and **Billing account owner** can also sign with the DGSS.
-
-## Install the DGSS client NuGet package
-
-Download and install the [DGSS client utilities and PowerShell cmdlets NuGet package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
-
-1. Download the [latest recommended version of nuget.exe](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe).
-2. From an elevated PowerShell or command window, run the following command:
-
- ```powershell
- nuget.exe install Microsoft.Acs.Dgss.Client
- ```
-
-3. Import the DGSS PowerShell module from the location where the Microsoft.Acs.Dgss.Client was installed in the previous step.
-
- ```powershell
- # Update the path to the Microsoft.Acs.Dgss.Client.dll if needed
- Import-Module $env:USERPROFILE\Downloads\Microsoft.Acs.Dgss.Client.1.0.11\PowerShell\Microsoft.Acs.Dgss.Client.dll
- ```
-
-## DGSS PowerShell Commands
-
-> [!NOTE]
-> <DGSSCommonParameters> are parameters common across all commands and are documented below the command definitions.
-
-### Get-DefaultPolicy
-
-Gets the default .xml policy file associated with the current tenant.
-
-**Usage:**
-
- ```powershell
- Get-DefaultPolicy -OutFile filename [-PassThru] []
- ```
-
-**Parameters:**
-
-- **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist.
-- **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
-
-**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes.
-
-### Get-RootCertificate
-
-Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
-
-**Usage:**
-
- ```powershell
- Get-RootCertificate -OutFile filename [-PassThru] []
- ```
-
-**Parameters:**
-
-- **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist.
-- **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
-
-**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes.
-
-### Get-SigningHistory
-
-Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
-
-**Usage:**
-
- ```powershell
- Get-SigningHistory -OutFile filename [-PassThru] []
- ```
-
-**Parameters:**
-
-- **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist.
-- **PassThru** - switch, optional - If present, returns XML objects returning the XML file.
-
-**Command running time:** The average running time is under 10 seconds.
-
-### Submit-SigningJob
-
-Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
-
-**Usage:**
-
- ```powershell
- Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] []
- ```
-
-**Parameters:**
-
-- **InFile** - string, mandatory - The file to be signed, which must be a valid catalog file (.cat) or WDAC policy file with binary extension (.bin).
-- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. NOTE: The destination folder must already exist.
-- **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl is present, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl aren't present, the signing operation will skip timestamping the output file, and it will be signed only.
-- **TimeStamperUrl** - string, optional - If this value is an invalid URL (and NoTimestamp not present), the module will throw an exception. To understand more about timestamping, see [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
-- **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process, you may want the process to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
-
-### Submit-SigningV1MigrationPolicy
-
-Submits a file to the service for signing and timestamping. The only valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for DGSS V1 migration.
-
-**Usage:**
-
- ```powershell
- Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] []
- ```
-
-**Parameters:**
-
-- **InFile** - string, mandatory - The file to be signed, which must be a WDAC policy file with binary extension (.bin).
-- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. NOTE: The destination folder must already exist.
-- **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl is present, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl aren't present, the signing operation will skip timestamping the output file, and it will be signed only.
-- **TimeStamperUrl** - string, optional - If this value is an invalid URL (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, see [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
-- **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process, you may want the process to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
-
-**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes.
-
-### Common parameters <DGSSCommonParameters>
-
-In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
-
-**Usage:**
-
- ```powershell
- ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
- ```
-
-**Parameters:**
-
-- **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless environment and that all UI should be suppressed. If UI must be displayed (for example, for authentication) when the switch is set, the operation will instead fail.
-- **Credential + AppId** - PSCredential - A sign-in credential (username and password) and AppId.
-
-## File and size limits
-
-When you're uploading files for DGSS signing, there are a few limits for files and file size:
-
-| Description | Limit |
-|-------------------------------------------------------|----------|
-| Maximum size for a policy or catalog file | 3.5 MB |
-| Maximum size for multiple files (uploaded in a group) | 4 MB |
-| Maximum number of files per upload | 15 files |
-
-## File types
-
-Catalog and policy files submitted to DGSS for signing must use specific file extensions:
-
-| File | Required file extension |
-|---------------|--------------------|
-| catalog files | .cat |
-| policy files | .bin |
-
-## DGSS signing certificates
-
-All certificates generated by the DGSS are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 60174cc444..ef0985446c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -1,15 +1,9 @@
---
-title: Use signed policies to protect Windows Defender Application Control against tampering (Windows)
-description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+title: Use signed policies to protect Windows Defender Application Control against tampering
+description: Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows 10 and Windows 11.
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
ms.topic: conceptual
-audience: ITPro
author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
@@ -27,32 +21,28 @@ ms.technology: itpro-security
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
-Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure (blue screen). With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies.
+Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure or blue screen. With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies.
-If you don't currently have a code signing certificate you can use to sign your WDAC policies, see [Obtain code signing certificates for your own use](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications#obtain-code-signing-certificates-for-your-own-use).
+If you don't currently have a code signing certificate you can use to sign your policies, see [Obtain code signing certificates for your own use](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md#obtain-code-signing-certificates-for-your-own-use).
> [!WARNING]
-> Boot failure (blue screen) may occur if your signing certificate doesn't follow these rules:
+> Boot failure, or blue screen, may occur if your signing certificate doesn't follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
-Before you attempt to deploy signed WDAC policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
> [!NOTE]
-> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a **<SupplementalPolicySigner>** rule to the Base policy.
+> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a `` rule to the Base policy.
## Prepare your WDAC policy for signing
-
-
- Expand this section for detailed instructions on preparing your WDAC policy files for signing.
-
-1. Open an elevated Windows PowerShell session and initialize the variables that will be used:
+1. Open an elevated Windows PowerShell session and initialize the variables to use:
```powershell
$PolicyPath=$env:userprofile+"\Desktop\"
@@ -61,26 +51,27 @@ Before you attempt to deploy signed WDAC policy, you should first deploy an unsi
```
> [!NOTE]
- > This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) article. If you are signing another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
+ > This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) article. If you sign another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
2. Navigate to your desktop as the working directory:
- ```powershell
- cd $PolicyPath
- ```
+ ```powershell
+ cd $PolicyPath
+ ```
-3. If your WDAC policy doesn't already include an **<UpdatePolicySigner>** rule for your policy signing certificate, you must add it. At least one **<UpdatePolicySigner>** rule must exist to convert your WDAC policy XML with [ConvertFrom-CiPolicy](/powershell/module/configci/convertfrom-cipolicy). If you're using the Device Guard Signing Service v2 (DGSS) to sign your policy, you can find the policy signer rule in your tenant's default policy, which you can download from [Get-DefaultPolicy](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-defaultpolicy).
+3. If your WDAC policy doesn't already include an `` rule for your policy signing certificate, you must add it. At least one `` rule must exist to convert your policy XML with [ConvertFrom-CiPolicy](/powershell/module/configci/convertfrom-cipolicy).
- Otherwise, use [Add-SignerRule](/powershell/module/configci/add-signerrule) and create an **<UpdatePolicySigner>** rule from your certificate file (.cer). DGSS users can download the root certificate file from [Get-RootCertificate](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-rootcertificate). If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can export the certificate file.
+ Use [Add-SignerRule](/powershell/module/configci/add-signerrule) and create an `` rule from your certificate file (.cer). If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can export the certificate file.
- NOTE: If your policy doesn't allow Supplemental policies, you should omit the **-Supplemental** switch from the following command:
+ > [!NOTE]
+ > If your policy doesn't allow Supplemental policies, you should omit the **-Supplemental** switch from the following command:
- ```powershell
- Add-SignerRule -FilePath $LamnaServerPolicy -CertificatePath –Update -Supplemental
- ```
+ ```powershell
+ Add-SignerRule -FilePath $LamnaServerPolicy -CertificatePath -Update -Supplemental
+ ```
- > [!IMPORTANT]
- > Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed WDAC policies causing boot failure, see [Remove WDAC policies causing boot stop failures](/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies#remove-wdac-policies-causing-boot-stop-failures).
+ > [!IMPORTANT]
+ > Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed policies causing boot failure, see [Remove Windows Defender Application Control policies causing boot stop failures](disable-windows-defender-application-control-policies.md#remove-wdac-policies-causing-boot-stop-failures).
4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
@@ -104,19 +95,13 @@ Before you attempt to deploy signed WDAC policy, you should first deploy an unsi
ConvertFrom-CIPolicy $LamnaServerPolicy $CIPolicyBin
```
-
-
-## Sign your WDAC policy
-
-### Policy signing with Device Guard Signing Service v2 (DGSS)
-
-If you have an existing Microsoft Store for Business and Education account, you can use the DGSS to sign your WDAC policy. For more information, see [Submit-SigningJob](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#submit-signingjob).
+## Sign your policy
### Policy signing with signtool.exe
If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files:
-1. Import the .pfx code signing certificate into the user’s personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
+1. Import the .pfx code signing certificate into the user's personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
2. Sign the WDAC policy by using SignTool.exe:
@@ -125,9 +110,9 @@ If you purchased a code signing certificate or issued one from your own PKI, you
```
> [!NOTE]
- > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
+ > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoSigningCert** is the subject name of the certificate that will be used to sign the policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-When complete, the commands should output a signed policy file with a .p7 extension. You must rename the file to *{GUID}*.cip where "{GUID}" is the <PolicyId> from your original WDAC policy XML.
+When complete, the commands should output a signed policy file with a `.p7` extension. You must rename the file to `{GUID}.cip` where "{GUID}" is the <PolicyId> from your original WDAC policy XML.
## Verify and deploy the signed policy
@@ -139,7 +124,7 @@ certutil.exe -asn
Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed WDAC policy to ensure you don't encounter a boot failure.
-Once you've verified the signed policy, deploy it using your preferred deployment method. For information about deploying WDAC policies, see [Deploying WDAC policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+Once you've verified the signed policy, deploy it using your preferred deployment method. For more information about deploying policies, see [Deploying Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> [!NOTE]
-> Anti-tampering protection for signed WDAC policies takes effect after the first reboot once the signed WDAC policy is applied to a computer. This protection only applies to computers with UEFI Secure Boot enabled.
+> Anti-tampering protection for signed policies takes effect after the first reboot once the signed policy is applied to a computer. This protection only applies to computers with UEFI Secure Boot enabled.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index c6f1572c34..ccc6db0ea1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -30,7 +30,7 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
## Lifecycle
> [!IMPORTANT]
-> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT Enterprise LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc) continues to have a [10 year lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
@@ -227,7 +227,7 @@ Microsoft Edge Browser support is now included in-box.
### Microsoft Edge kiosk mode
-Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc).
Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.