Merge pull request #6678 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
2025-05-12 05:17:22 +00:00 · 2022-06-06 09:54:15 -07:00 · 2022-06-06 09:54:15 -07:00 · d3982bb365
commit d3982bb365
parent d453d07faf ff393b3945
5 changed files with 25 additions and 24 deletions
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@ -5,8 +5,7 @@ ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: manikadhiman
-ms.date: 11/29/2021
+author: dansimp
 ms.reviewer: 
 manager: dansimp
 ---
@ -245,7 +244,7 @@ Default value is true.
 Value type is bool. Supported operations are Add, Get and Replace.

 <a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow.

 - 0x00000000 - allow
 - 0x00000001 - block
@ -441,4 +440,4 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.

 ## Related topics

-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -9,7 +9,6 @@ metadata:
  ms.localizationpriority: medium
  author: denisebmsft
  ms.author: deniseb
-  ms.date: 03/14/2022
  ms.reviewer:
  manager: dansimp
  ms.custom: asr
@ -45,7 +44,7 @@ sections:
         To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
        
         - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
-         - It must be a FQDN. A simple IP address will not work.
+         - It must be an FQDN. A simple IP address won't work.
         - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
        
      - question: |
@ -54,7 +53,7 @@ sections:
          Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
          
      - question: |
-          Which Input Method Editors (IME) in 19H1 are not supported?
+          Which Input Method Editors (IME) in 19H1 aren't supported?
        answer: |
          The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
          
@ -74,7 +73,7 @@ sections:
      - question: |
          I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
        answer: |
-          This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+          This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.

      - question: |
          What is the WDAGUtilityAccount local account?
@ -83,7 +82,7 @@ sections:
          
          **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
          
-          We recommend that you do not modify this account.
+          We recommend that you don't modify this account.
          
      - question: |
          How do I trust a subdomain in my site list?
@ -93,35 +92,35 @@ sections:
      - question: |
          Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
        answer: |
-          When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
+          When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
          
      - question: |
          Is there a size limit to the domain lists that I need to configure?
        answer: |
-          Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
+          Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit.

      - question: |
          Why does my encryption driver break Microsoft Defender Application Guard?
        answer: |
-          Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+          Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).

      - question: |
          Why do the Network Isolation policies in Group Policy and CSP look different?
        answer: |
-          There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
+          There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
          
          - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
          
          - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
          
-          - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+          - For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
          
-          Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+          Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
          
      - question: |
          Why did Application Guard stop working after I turned off hyperthreading?
        answer: |
-          If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+          If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements.

      - question: |
          Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 09/21/2017
 ms.technology: windows-sec
 ---

@ -24,10 +23,10 @@ ms.technology: windows-sec

 - Windows 10
 - Windows 11
- Windows Server 2016 and above
+- Windows Server 2012 R2 and later

->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).

 This topic for IT professionals describes how to import an AppLocker policy.

@ -35,11 +34,14 @@ Before completing this procedure, you should have exported an AppLocker policy.

 Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.

->**Caution:**  Importing a policy will overwrite the existing policy on that computer.
+> **Caution:**  Importing a policy will overwrite the existing policy on that computer.
 
 **To import an AppLocker policy**

 1.  From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**.
+
 2.  In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**.
+
 3.  The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy.
+
 4.  The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**.
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@ -14,7 +14,6 @@ author: jgeurten
 ms.reviewer: jsuther1974
 ms.author: dansimp
 manager: dansimp
-ms.date: 03/22/2022
 ms.technology: windows-sec
 ---

@ -45,6 +44,9 @@ To create effective WDAC deny policies, it's crucial to understand how WDAC pars

 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.

+> [!NOTE]
+> If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work).
+
 ## Interaction with Existing Policies

 ### Adding Allow Rules
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@ -14,7 +14,6 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 07/15/2021
 ms.technology: windows-sec
 ---

@ -24,7 +23,7 @@ ms.technology: windows-sec

 - Windows 10
 - Windows 11
- Windows Server 2016 and above
+- Windows Server 2019 and above

 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).