updates

.openpublishing.redirection.windows-security.json

@@ -7996,4 +7996,4 @@
       "redirect_document_id": false
     }
   ]
-}
+}

includes/licensing/_edition-requirements.md

@@ -81,7 +81,7 @@ ms.topic: include
 |**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|

includes/licensing/_licensing-requirements.md

@@ -81,7 +81,7 @@ ms.topic: include
 |**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|

windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml

@@ -119,10 +119,7 @@ sections:
       - question: |
           Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
         answer: |
-          This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-
-          - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/configure-rules.md)
-          - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+          This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule with Group Policy, see [Configure Windows Firewall rules with group policy](../../../operating-system-security/network-security/windows-firewall/configure-rules-with-gpo.md)
 
           ### First rule (DHCP Server)
           - Program path: `%SystemRoot%\System32\svchost.exe`

windows/security/includes/sections/operating-system-security.md

@@ -37,7 +37,7 @@ ms.topic: include
 | **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
 | **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
 | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
-| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)** | Windows Firewall provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
 | **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
 | **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
 | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |

windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo.md

@@ -13,7 +13,7 @@ This article contains examples how to configure Windows Firewall rules using gro
 
 If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
 
-If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kb>ENTER</kbd>.
+If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>.
 
 ## Create an inbound ICMP rule
 

windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md

@@ -46,7 +46,7 @@ To isolate Microsoft Store apps on your network, you need to use Group Policy to
 - The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
 
 > [!NOTE]
-> Information the user should notice even if skimmingYou can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+> You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 
 ## Step 1: Define your network
 

windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md

@@ -1,40 +1,25 @@
 ---
-title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 
-description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
+title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 
+description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server
 ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 11/14/2023
 ---
 
 # Securing End-to-End IPsec connections by using IKEv2
 
-
 IKEv2 offers the following:
 
--   Supports IPsec end-to-end transport mode connections
-
--   Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
-
--   Supports Suite B (RFC 4869) requirements
-
--   Coexists with existing policies that deploy AuthIP/IKEv1
-
--   Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface.
-
--   Uses certificates for the authentication mechanism
+- Supports IPsec end-to-end transport mode connections
+- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
+- Supports Suite B (RFC 4869) requirements
+- Coexists with existing policies that deploy AuthIP/IKEv1
+- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface.
+- Uses certificates for the authentication mechanism
 
 You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
 
-**In this document**
-
--   [Prerequisites](#prerequisites)
-
--   [Devices joined to a domain](#devices-joined-to-a-domain)
-
--   [Device not joined to a domain](#devices-not-joined-to-a-domain)
-
--   [Troubleshooting](#troubleshooting)
-
->**Note:**  This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](/previous-versions//bb648607(v=vs.85)).
+> [!NOTE]
+> This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](/previous-versions//bb648607(v=vs.85)).
 
 ## Prerequisites
 
@@ -42,27 +27,19 @@ These procedures assume that you already have a public key infrastructure (PKI)
 
 ## Devices joined to a domain
 
-The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
+The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
 
 ![the contoso corporate network.](images/corpnet.gif)
 
-**Figure 1** The Contoso corporate network
+The script does the following:
 
-This script does the following:
-
--   Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members.
-
--   Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain.
-
--   Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**.
-
--   Indicates the certificate to use for authentication.
-
-    >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-
--   Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
-
-![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands**
+- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members.
+- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain.
+- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**.
+- Indicates the certificate to use for authentication.
+    > [!IMPORTANT]
+    > The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
+- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
 
 Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
 
@@ -89,7 +66,7 @@ $gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -Pe
 #Set up the certificate for authentication
 $gponame = "corp.contoso.com\IPsecRequireInRequestOut"
 $certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
-$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame
+$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop -PolicyStore GPO:$gponame
 
 #Create the IKEv2 Connection Security rule
 New-NetIPsecRule  -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
@@ -100,9 +77,8 @@ New-NetIPsecRule  -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet
 
 Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection.
 
->**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-
-![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands**
+> [!IMPORTANT]
+> The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
 
 Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
 
@@ -118,52 +94,44 @@ New-NetIPsecRule  -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet
 
 Make sure that you install the required certificates on the participating computers.
 
-> **Note:**  
-> -   For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
-> -   You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
-> -   For remote devices, you can create a secure website to facilitate access to the script and certificates.
+> [!NOTE]
+> - For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
+> - You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
+> - For remote devices, you can create a secure website to facilitate access to the script and certificates.
 
 ## Troubleshooting
 
 Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
 
-**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
+Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled:
 
-1.  Open the Windows Defender Firewall with Advanced Security console.
+1. Open the Windows Defender Firewall with Advanced Security console.
+1. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
+1. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
 
-2.  In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
+Use Windows PowerShell cmdlets to display the security associations:
 
-3.  Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
-
-**Use Windows PowerShell cmdlets to display the security associations.**
-
-1.  Open a Windows PowerShell command prompt.
-
-2.  Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations.
-
-3.  Type **get-NetIPsecMainModeSA** to display the Main Mode security associations.
+1. Open a Windows PowerShell command prompt.
+1. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations.
+1. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations.
 
 **Use netsh to capture IPsec events.**
 
-1.  Open an elevated command prompt.
-2.  At the command prompt, type **netsh wfp capture start**.
-3.  Reproduce the error event so that it can be captured.
-4.  At the command prompt, type **netsh wfp capture stop**.
+1. Open an elevated command prompt.
+1. At the command prompt, type **netsh wfp capture start**.
+1. Reproduce the error event so that it can be captured.
+1. At the command prompt, type **netsh wfp capture stop**.
     A wfpdiag.cab file is created in the current folder.
-5.  Open the cab file, and then extract the wfpdiag.xml file.
-6.  Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last "errorFrequencyTable" at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
+1. Open the cab file, and then extract the wfpdiag.xml file.
+1. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last "errorFrequencyTable" at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
 
-    ```xml
-    <item>
-      <error>ERROR_IPSEC_IKE_NO_CERT</error>
-      <frequency>32</frequency>
-    </item>
-    ```
+```xml
+<item>
+  <error>ERROR_IPSEC_IKE_NO_CERT</error>
+  <frequency>32</frequency>
+</item>
+```
 
-    In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error.
+In this example, there are 32 instances of the **ERROR_IPSEC_IKE_NO_CERT** error. So now you can search for **ERROR_IPSEC_IKE_NO_CERT** to get more details regarding this error.
 
 You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues.
-
-## See also
-
--   [Windows Defender Firewall with Advanced Security](index.md)