Merge branch 'main' into ucv1-retire-7748874

windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md

@@ -1,7 +1,7 @@
 ---
 title: Windows quality update communications
 description: This article explains Windows quality update communications
-ms.date: 05/30/2022
+ms.date: 03/30/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -32,10 +32,26 @@ Communications are posted to, as appropriate for the type of communication, to t
 
 | Communication | Location | Timing | Description |
 | ----- | ----- |  ----- | ----- |
-| Release schedule | <ul><li>Message center</li><li>Messages blade</li><li>Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><ul> | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
+| Release schedule | <ul><li>Messages blade</li><li>Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><ul> | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
 | Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. |
 | Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. |
 
+### Opt out of receiving emails for standard communications
+
+> [!IMPORTANT]
+> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
+
+If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
+
+**To opt out of receiving emails for standard communications:**
+
+1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**.
+2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**.
+3. Select the admin contact you want to opt out for.
+4. Select **Edit Contact**.
+5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane.
+6. Select **Save** to apply the changes.
+
 ## Communications during release
 
 The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md

@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 03/21/2023
+ms.date: 03/30/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -24,6 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Article | Description |
 | ----- | ----- |
+| [Windows quality update communications](../operate/windows-autopatch-windows-quality-update-communications.md#standard-communications) | Added guidance on how to [opt out of receiving emails for standard communications](../operate/windows-autopatch-windows-quality-update-communications.md#opt-out-of-receiving-emails-for-standard-communications) (public preview) |
 | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | <ul><li>Added support for subscription versions of Microsoft Project and Visio desktop apps</li><li>Updated device eligibility criteria</li><li>Clarified update controls</li></ul> |
 | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview<li>[MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li> |
 

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -1,6 +1,6 @@
 ---
-title: Kernel DMA Protection (Windows)
+title: Kernel DMA Protection
-description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
@@ -9,123 +9,94 @@ ms.collection:
   - highpri
   - tier1
 ms.topic: conceptual
-ms.date: 01/05/2023
+ms.date: 03/30/2023
 ms.technology: itpro-security
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Kernel DMA Protection
 
-**Applies to**
+Kernel DMA Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory.
--   Windows 10
--   Windows 11
 
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt&trade; 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
+PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB.\
+These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor's involvement. This capability is the reason behind the exceptional performance of PCI devices, but it also makes them susceptible to *drive-by DMA attacks*.
 
-Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
+Drive-by DMA attacks are attacks that occur while the owner of the system isn't present and usually take just a few minutes, with simple-to-moderate attacking tools (affordable, off-the-shelf hardware and software), that don't require the disassembly of the device. For example, attackers can plug in a USB-like device while the device owner is on a break, and walk away with all the secrets on the machine, or inject a malware that allows them to have full control over the device remotely while bypassing the lock screen.
 
-This feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
+> [!NOTE]
-
+> Kernel DMA Protection feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, or ExpressCard.
-
-## Background
-
-PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. 
-The DMA capability is what makes PCI devices the highest performing devices available today. 
-These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 
-Access to these devices required the user to turn off power to the system and disassemble the chassis. 
-
-Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt&trade; and CFexpress). 
-
-Hot plug PCIe ports such as Thunderbolt&trade; technology have provided modern PCs with extensibility that wasn't available before for PCs. 
-It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 
-Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
-
-Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC. 
-A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, an attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
 
 ## How Windows protects against DMA drive-by attacks
 
-Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). 
+Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping).
-Peripherals with [DMA Remapping compatible drivers](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions. 
+Peripherals with [DMA Remapping compatible drivers][LINK-1] will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions.
 
-By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies).
+By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using MDM or group policies.
 
 ## User experience
 
-![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
+When Kernel DMA Protection is enabled:
 
-By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. 
+- Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
-The peripheral will continue to function normally if the user locks the screen or logs out of the system.
+- Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
 
 ## System compatibility
 
-Kernel DMA Protection requires new UEFI firmware support. 
+Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn't required.
-This support is anticipated only on newly introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
 
-To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32). 
+Kernel DMA Protection isn't compatible with other BitLocker DMA attacks countermeasures. It's recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
-Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
 
->[!NOTE]
+> [!NOTE]
->Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
+> DMA remapping support for graphics devices was added in Windows 11 with the WDDM 3.0 driver model; Windows 10 doesn't support this feature.
 
->[!NOTE]
+## Check if Kernel DMA Protection is enabled
->DMA remapping support for graphics devices was added in Windows 11 with the WDDM 3.0 driver model; Windows 10 does not support this feature.
 
-## How to check if Kernel DMA Protection is enabled
+Systems that support Kernel DMA Protection will enable the feature automatically, with no user or IT admin configuration required.
 
-Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
+You can use the Windows Security app to check if Kernel DMA Protection is enabled:
 
-### Using the Windows Security app
+1. Open Windows Security app
+1. Select **Device security > Core isolation details > Memory access protection**
 
-Beginning with Windows 10 version 1809, you can use the Windows Security app to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
+:::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
 
-![Kernel DMA protection in Windows Security](bitlocker/images/kernel-dma-protection-security-center.png)
+Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
 
-### Using System information
+:::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
 
-1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
+If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
 
-2. Check the value of **Kernel DMA Protection**.
+- Reboot into UEFI settings
+- Turn on Intel Virtualization Technology
+- Turn on Intel Virtualization Technology for I/O (VT-d)
+- Reboot system into Windows
 
-   ![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png)
+> [!NOTE]
+> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
+>
+> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
 
-3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
+If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
 
-   - Reboot into BIOS settings
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
-   - Turn on Intel Virtualization Technology.
-   - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
-   - Reboot system into Windows.
-
-   > [!NOTE]
-   > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
-
-   > [!NOTE]
-   > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
-
-4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 
-
-   For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ## Frequently asked questions
 
-### Do in-market systems support Kernel DMA Protection for Thunderbolt&trade; 3?
-In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt&trade; 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
-
 ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
-No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt&trade; 3 ports during boot. 
+
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It's the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt 3 ports during boot.
 
 ### How can I check if a certain driver supports DMA-remapping?
-DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
-Check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 
-![A user's experience about Kernel DMA protection](images/device_details_tab_1903.png)
+Not all devices and drivers support DMA-remapping. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of **0** or **1** means that the device driver doesn't support DMA-remapping. A value of **2** means that the device driver supports DMA-remapping. If the property isn't available, then the device driver doesn't support DMA-remapping.
+Check the driver instance for the device you're testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 
-*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. 
+:::image type="content" source="images/device-details.png" alt-text="Screenshot of device details for a Thunderbolt controller showing a value of 2." border="false":::
 
-![Experience of a user about Kernel DMA protection](images/device-details-tab.png)
+### When the drivers for PCI or Thunderbolt 3 peripherals don't support DMA-remapping?
 
-### When the drivers for PCI or Thunderbolt&trade; 3 peripherals do not support DMA-remapping?
+Use the Windows-provided drivers for the peripherals, when available. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping][LINK-1].
-
-If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
 
 ### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
 
@@ -134,20 +105,26 @@ Yes. DMA remapping for a specific device can be turned on independent from Kerne
 Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
 
 ### Do Microsoft drivers support DMA-remapping?
-In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers, and Storage NVMe Controllers support DMA Remapping.
+
+The Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers, and Storage NVMe Controllers support DMA Remapping.
 
 ### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
-No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping.
+
+No. Devices for non-PCI peripherals, such as USB devices, don't perform DMA, thus no need for the driver to be compatible with DMA Remapping.
 
 ### How can an enterprise enable the External device enumeration policy?
-The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
+
+The External device enumeration policy controls whether to enumerate external peripherals that aren't compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
 
 The policy can be enabled by using:
 
-- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
+- Group Policy: **Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection**
-- Mobile Device Management (MDM): [DmaGuard policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) 
+- Mobile Device Management (MDM): [DmaGuard policies][LINK-2]
 
-## Related topics
+<!--links-->
 
-- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
+[LINK-1]: /windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers
-- [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
+[LINK-2]: /windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies
+[LINK-3]: /windows-hardware/design/device-experiences/oem-kernel-dma-protection
+
+[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf