From f9880962ade9ffdff86831580cc76db80d93ed82 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Tue, 13 Sep 2022 15:32:29 -0700
Subject: [PATCH 1/9] Update reqs-md-app-guard.md
---
.../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 92960da468..e2a72c7821 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -48,6 +48,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 Education, Enterprise, and Professional |
+| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Windows 11 Education, Enterprise, and Professional |
| Browser | Microsoft Edge |
| Management system
(only for managed devices)| [Microsoft Intune](/intune/) **OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
From 08a3064c54eed087a14b454fa08e82b658e9e923 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Tue, 13 Sep 2022 15:35:31 -0700
Subject: [PATCH 2/9] Update windowsdefenderapplicationguard-csp.md
---
.../mdm/windowsdefenderapplicationguard-csp.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index e8c9563d43..7280a556b1 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -324,8 +324,6 @@ Supported operation is Get.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
- > [!IMPORTANT]
- > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
@@ -381,4 +379,4 @@ ADMX Info:
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
From 725184189bd7791f6d67f200def064e03c0436fb Mon Sep 17 00:00:00 2001
From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com>
Date: Wed, 14 Sep 2022 10:15:13 +0200
Subject: [PATCH 3/9] Update
deploy-windows-defender-application-control-policies-using-intune.md
Linked to the ConvertFrom-CIPolicy cmdlet for convenience
Updated the "Data type" to reflect the name in Intune which is "Base64 (file)"
---
...-defender-application-control-policies-using-intune.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index 407a00c553..039e3db596 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -61,13 +61,13 @@ The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as ``
-2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- - **Data type**: Base64
+ - **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
@@ -86,13 +86,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
-1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- - **Data type**: Base64
+ - **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file
> [!NOTE]
From 9168a7ba10f6b95f0c3044329c020e950eea310d Mon Sep 17 00:00:00 2001
From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com>
Date: Wed, 14 Sep 2022 16:39:47 +0200
Subject: [PATCH 4/9] Update configure-wdac-managed-installer.md
Clarified what "EA" means.
---
.../configure-wdac-managed-installer.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 70a4c7cad7..63d3ee3fe4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -31,7 +31,7 @@ ms.technology: windows-sec
## Using fsutil to query SmartLocker EA
-Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
+Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
**Example:**
From 0400fe5cdc1ace381473eaa3cee5a81fa48e4cbb Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Wed, 14 Sep 2022 08:17:24 -0700
Subject: [PATCH 5/9] fix links
---
...plication-control-policies-using-intune.md | 22 +++++++------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index 039e3db596..99ba2124a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -1,21 +1,15 @@
---
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
+ms.author: vinpa
+manager: aaroncz
ms.date: 06/27/2022
-ms.technology: windows-sec
---
# Deploy WDAC policies using Mobile Device Management (MDM)
@@ -61,12 +55,12 @@ The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as ``
-2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
+ - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
@@ -86,12 +80,12 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
-1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
+ - **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file
From e7ab0308fe3c1f86d62d9a6c54d0827e1a052171 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Wed, 14 Sep 2022 08:37:20 -0700
Subject: [PATCH 6/9] update metadata
---
...windows-defender-application-control-policies-using-intune.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index 99ba2124a5..9db5920c58 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -10,6 +10,7 @@ ms.reviewer: isbrahm
ms.author: vinpa
manager: aaroncz
ms.date: 06/27/2022
+ms.topic: how-to
---
# Deploy WDAC policies using Mobile Device Management (MDM)
From d4a481b6d7780e6dd1681fa68458a8b6f86b82d0 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Wed, 14 Sep 2022 08:41:34 -0700
Subject: [PATCH 7/9] editorial revision
---
.../reqs-md-app-guard.md | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index e2a72c7821..e02cee6ffc 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,18 +1,15 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.topic: overview
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
+author: vinaypamnani-msft
+ms.author: vinpa
ms.date: 08/25/2022
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: windows-sec
+ms.reviewer: sazankha
+manager: aaroncz
---
# System requirements for Microsoft Defender Application Guard
@@ -48,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Windows 11 Education, Enterprise, and Professional |
+| Operating system | Windows 10 Enterprise edition, version 1809 or later
Windows 10 Professional edition, version 1809 or later
Windows 10 Professional for Workstations edition, version 1809 or later
Windows 10 Professional Education edition, version 1809 or later
Windows 10 Education edition, version 1809 or later
Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge |
| Management system
(only for managed devices)| [Microsoft Intune](/intune/) **OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
From 7b46a848fa5e07bf0b30b4615abe504954ae9ff4 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Wed, 14 Sep 2022 08:44:01 -0700
Subject: [PATCH 8/9] Update
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../mdm/windowsdefenderapplicationguard-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 7280a556b1..15cbeaed69 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -322,7 +322,7 @@ Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
-- Bit 3 - Set to 1 when Application Guard installed on the client machine.
+- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
From 3742b342bbbc080edb8d7e4a1802d176b8e91543 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Wed, 14 Sep 2022 09:43:34 -0700
Subject: [PATCH 9/9] Update windows-11-se-overview.md
Ghotit |10.14.2.3 |Win32 |Ghotit Ltd|
---
education/windows/windows-11-se-overview.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 3217654fdd..c8bca008ef 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -102,6 +102,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| eTests | 4.0.25 | Win32 | CASAS |
| FortiClient | 7.0.1.0083 | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
+| Ghotit | 10.14.2.3 | Win32 | Ghotit Ltd |
| GoGuardian | 1.4.4 | Win32 | GoGuardian |
| Google Chrome | 102.0.5005.115 | Win32 | Google |
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
@@ -182,4 +183,4 @@ When you deploy an app using Intune for Education, you may get a `0x87D300D9` er
[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
[EDUWIN-2]: /education/windows/tutorial-school-deployment/
-[WIN-1]: /windows/whats-new/windows-11-requirements
\ No newline at end of file
+[WIN-1]: /windows/whats-new/windows-11-requirements