diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index c04926735a..284f6f33a1 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -17,22 +17,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "hololens",
- "build_source_folder": "devices/hololens",
- "build_output_subfolder": "hololens",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
@@ -49,22 +33,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "keep-secure",
- "build_source_folder": "windows/keep-secure",
- "build_output_subfolder": "keep-secure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
@@ -81,22 +49,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "release-information",
- "build_source_folder": "windows/release-information",
- "build_output_subfolder": "release-information",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "smb",
"build_source_folder": "smb",
@@ -193,22 +145,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "win-device-security",
- "build_source_folder": "windows/device-security",
- "build_output_subfolder": "win-device-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
@@ -225,22 +161,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-plan",
- "build_source_folder": "windows/plan",
- "build_output_subfolder": "windows-plan",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
@@ -273,38 +193,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-update",
- "build_source_folder": "windows/update",
- "build_output_subfolder": "windows-update",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-threat-protection",
- "build_source_folder": "windows/threat-protection",
- "build_output_subfolder": "win-threat-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
@@ -360,13 +248,13 @@
"Pdf"
]
},
- "need_generate_pdf_url_template": true,
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
},
"docs_build_engine": {},
+ "need_generate_pdf_url_template": true,
"contribution_branch_mappings": {},
"need_generate_pdf": false,
"need_generate_intellisense": false
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 9a87d541b5..595710639b 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19559,6 +19559,21 @@
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/get-minecraft-device-promotion.md",
+ "redirect_url": "/education/windows/get-minecraft-for-education",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md",
+ "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md",
+ "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune",
+ "redirect_document_id": false
}
]
}
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 73b3828e76..825288c869 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,39 +2,9 @@
-## Week of May 02, 2022
+## Week of June 27, 2022
| Published On |Topic title | Change |
|------|------------|--------|
-| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
-| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
-| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
-| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
-| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
-| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
-| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
-| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
-| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
-| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
-| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
-
-
-## Week of April 25, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-
-
-## Week of April 18, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
+| 6/30/2022 | Get Minecraft Education Edition with your Windows 10 device promotion | removed |
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index 3a592b8263..717ae6c902 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -53,8 +53,6 @@
href: teacher-get-minecraft.md
- name: "For IT administrators: get Minecraft Education Edition"
href: school-get-minecraft.md
- - name: "Get Minecraft: Education Edition with Windows 10 device promotion"
- href: get-minecraft-device-promotion.md
- name: Test Windows 10 in S mode on existing Windows 10 education devices
href: test-windows10s-for-edu.md
- name: Enable Windows 10 in S mode on Surface Go devices
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
deleted file mode 100644
index 258525651d..0000000000
--- a/education/windows/get-minecraft-device-promotion.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Get Minecraft Education Edition with your Windows 10 device promotion
-description: Windows 10 device promotion for Minecraft Education Edition licenses
-keywords: school, Minecraft, education edition
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.localizationpriority: medium
-author: dansimp
-searchScope:
- - Store
-ms.author: dansimp
-ms.date: 06/05/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Get Minecraft: Education Edition with Windows 10 device promotion
-
-**Applies to:**
-
-- Windows 10
-
-The **Minecraft: Education Edition** with Windows 10 device promotion ended January 31, 2018.
-
-Qualifying customers that received one-year subscriptions for Minecraft: Education Edition as part of this program and wish to continue using the game in their schools can purchase new subscriptions in Microsoft Store for Education.
-For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](./school-get-minecraft.md?toc=%2fmicrosoft-store%2feducation%2ftoc.json).
-
->[!Note]
->**Minecraft: Education Edition** with Windows 10 device promotion subscriptions are valid for 1 year from the time
-of redemption. At the end of 1 year, the promotional subscriptions will expire and any people using these subscriptions will be reverted to a trial license of **Minecraft: Education Edition**.
-
-To prevent being reverted to a trial license, admins or teachers need to purchase new **Minecraft: Education Edition** subscriptions from Store for Education, and assign licenses to users who used a promotional subscription.
-
-
-
\ No newline at end of file
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 5a247f51f3..9f89ef79d0 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -56,11 +56,11 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|FortiClient |7.0.1.0083 |Win32 |Fortinet|
|Free NaturalReader |16.1.2 |Win32 |Natural Soft|
|GoGuardian |1.4.4 |Win32 |GoGuardian|
-|Google Chrome |100.0.4896.127|Win32 |Google|
+|Google Chrome |102.0.5005.115|Win32 |Google|
|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education|
|Immunet |7.5.0.20795 |Win32 |Immunet|
|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific|
-|Kite Student Portal |8.0.1 |Win32 |Dynamic Learning Maps|
+|Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps|
|Kortext |2.3.433.0 |Store |Kortext|
|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems|
|LanSchool |9.1.0.46 |Win32 |Stoneware|
@@ -83,7 +83,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
-|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
+|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
|Zoom |5.9.1 (2581)|Win32 |Zoom|
|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 022801745a..2812409a82 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -97,6 +97,7 @@ Firewall
----------------Protocol
----------------LocalPortRanges
----------------RemotePortRanges
+----------------IcmpTypesAndCodes
----------------LocalAddressRanges
----------------RemoteAddressRanges
----------------Description
@@ -340,6 +341,12 @@ Comma separated list of ranges, For example, 100-120,200,300-320.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
+ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 736959df4e..2a21d44f28 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 06/26/2017
+ms.date: 06/28/2022
ms.reviewer:
manager: dansimp
---
@@ -19,7 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
-|Windows SE|No|No|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 934f417af1..8912143332 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1483,7 +1483,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul
If you enable this setting, low CPU priority will be used during scheduled scans.
-If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans.
+If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans.
Supported values:
@@ -1922,10 +1922,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Selects the time of day that the Windows Defender quick scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 1f621319a6..9d519bfe5d 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -4415,7 +4415,7 @@ The following list shows the supported values:
ADMX Info:
-- GP Friendly name: *Allows enterprises to provide their users with a single-browser experience*
+- GP Friendly name: *Enable extended hot keys in Internet Explorer mode*
- GP name: *EnableExtendedIEModeHotkeys*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@@ -14317,4 +14317,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 5d8350eed5..6eb42f6671 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -34,11 +34,11 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
-|Pro|Yes|Yes|
+|Pro|No|Yes|
|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
@@ -83,4 +83,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 4c9d94d790..69a315b2b4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 03/18/2022
+ms.date: 06/15/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@@ -3478,7 +3478,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriver**
+**Update/SetPolicyDrivenUpdateSourceForDriverUpdates**
The table below shows the applicability of Windows:
@@ -3508,12 +3508,12 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
@@ -3536,7 +3536,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeature**
+**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -3566,12 +3566,12 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
@@ -3594,7 +3594,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOther**
+**Update/SetPolicyDrivenUpdateSourceForOtherUpdates**
The table below shows the applicability of Windows:
@@ -3624,12 +3624,12 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
@@ -3652,7 +3652,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQuality**
+**Update/SetPolicyDrivenUpdateSourceForQualityUpdates**
The table below shows the applicability of Windows:
@@ -3682,12 +3682,12 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
@@ -4013,4 +4013,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 39a3e28d9e..8417d9c8af 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -24,9 +24,10 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
+The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
+
```
./Vendor/MSFT
RemoteWipe
@@ -39,15 +40,16 @@ RemoteWipe
--------LastError
--------Status
```
+
**doWipe**
-Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command.
+Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed.
+Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -56,14 +58,14 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful.
-The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done.
+The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index d8b8b2c1b8..354b49fbea 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -6,7 +6,7 @@ ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
-ms.date: 8/22/2019
+ms.date: 07/12/2022
ms.reviewer: dcscontentpm
manager: dansimp
---
@@ -183,6 +183,63 @@ To specify that you don't want to overwrite any previous kernel or complete memo
- Set the **Overwrite** DWORD value to **0**.
+#### Automatic Memory Dump
+
+This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
+
+If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more information, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
+
+To specify that you want to use an automatic memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugInfoType = 7
+ ```
+
+- Set the **CrashDumpEnabled** DWORD value to **7**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
+ ```
+
+- Set the **DumpFile** Expandable String Value to \.
+
+To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set OverwriteExistingDebugFile = 0
+ ```
+
+- Set the **Overwrite** DWORD value to **0**.
+
+#### Active Memory Dump
+
+An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump.
+
+This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more information, see [Active Memory Dump](/windows-hardware/drivers/debugger/active-memory-dump).
+
+To specify that you want to use an active memory dump file, modify the registry value:
+
+- Set the **CrashDumpEnabled** DWORD value to **1**.
+- Set the **FilterPages** DWORD value to **1**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
+ ```
+
+- Set the DumpFile Expandable String Value to \.
+
+To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set OverwriteExistingDebugFile = 0
+ ```
+
+- Set the **Overwrite** DWORD value to **0**.
+
>[!Note]
>If you contact Microsoft Support about a Stop error, you might be asked for the memory dump file that is generated by the Write Debugging Information option.
@@ -191,6 +248,7 @@ To view system failure and recovery settings for your local computer, type **wmi
>[!Note]
>To successfully use these Wmic.exe command line examples, you must be logged on by using a user account that has administrative rights on the computer. If you are not logged on by using a user account that has administrative rights on the computer, use the **/user:user_name** and **/password:password** switches.
+
### Tips
- To take advantage of the dump file feature, your paging file must be on the boot volume. If you've moved the paging file to another volume, you must move it back to the boot volume before you use this feature.
@@ -201,4 +259,4 @@ To view system failure and recovery settings for your local computer, type **wmi
## References
-[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
\ No newline at end of file
+[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index ed2728abc4..e819e8e329 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -94,7 +94,7 @@ You can also use Group Policy to manage access to Microsoft Store.
4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**.
> [!Important]
-> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
+> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store.
## Show private store only using Group Policy
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 0d89ad7be7..25eddbf4ef 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
@@ -560,6 +560,12 @@ Some properties to use in the MDT Production rules file are as follows:
- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore).
- **EventService.** Activates logging information to the MDT monitoring web service.
+> [!NOTE]
+> For more information about localization support, see the following articles:
+>
+> - [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario)
+> - [LCID (Locale ID) codes](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
+
### Optional deployment share configuration
If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index 3f1840da1b..c301863138 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -42,7 +42,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
| Policy | Data type | Value | Function |
|--------------------------|-|-|------------------------------------------------------------|
|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
+|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. For more information, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). |
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 2497f639dc..663fedf6e7 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -40,7 +40,7 @@ Before you begin the process to add Update Compliance to your Azure subscription
- **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
-- **Azure AD device join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
+- **Azure AD device join** or **hybrid Azure AD join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
## Add Update Compliance to your Azure subscription
diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md
index 2f45ad0ced..88cfdcb10b 100644
--- a/windows/deployment/update/update-compliance-v2-prerequisites.md
+++ b/windows/deployment/update/update-compliance-v2-prerequisites.md
@@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
-ms.date: 06/06/2022
+ms.date: 06/30/2022
---
# Update Compliance prerequisites
@@ -66,11 +66,15 @@ For more information about what's included in different diagnostic levels, see [
> [!NOTE]
> Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription.
-## Microsoft 365 admin center permissions (optional)
+## Microsoft 365 admin center permissions (currently optional)
-When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also recommended:
- - To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles)
- - To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles)
+When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also needed:
+
+- To configure settings and view the **Software Updates** page:
+ - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+ - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
+- To view the **Software Updates** page:
+ - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
## Log Analytics prerequisites
diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/update-status-admin-center.md
index 9794557bd2..71e40f2c64 100644
--- a/windows/deployment/update/update-status-admin-center.md
+++ b/windows/deployment/update/update-status-admin-center.md
@@ -10,7 +10,7 @@ ms.collection:
- M365-analytics
- highpri
ms.topic: article
-ms.date: 05/07/2022
+ms.date: 06/20/2022
---
# Microsoft admin center software updates (preview) page
@@ -34,8 +34,12 @@ The **Software updates** page has following tabs to assist you in monitoring upd
- [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution
- An appropriate role assigned for the [Microsoft 365 admin center](https://admin.microsoft.com)
- - To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles)
- - To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles)
+ - To configure settings and view the **Software Updates** page:
+ - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+ - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
+ - To view the **Software Updates** page:
+ - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
+
## Limitations
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 1918ed5246..52c86e776b 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -25,6 +25,9 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> [!NOTE]
+> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
+
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT]
diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md
index ffe3f4ae21..4e752ce90b 100644
--- a/windows/deployment/update/waas-delivery-optimization-faq.md
+++ b/windows/deployment/update/waas-delivery-optimization-faq.md
@@ -1,6 +1,6 @@
---
title: Delivery Optimization Frequently Asked Questions
-ms.reviewer:
+ms.reviewer: aaroncz
manager: dougeby
description: The following is a list of frequently asked questions for Delivery Optimization.
ms.prod: w10
@@ -37,17 +37,23 @@ For Delivery Optimization to successfully use the proxy, you should set up the p
## What hostnames should I allow through my firewall to support Delivery Optimization?
-For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
+**For communication between clients and the Delivery Optimization cloud service**:
+
+- `*.do.dsp.mp.microsoft.com`
**For Delivery Optimization metadata**:
-- *.dl.delivery.mp.microsoft.com
-- *.emdl.ws.microsoft.com
+- `*.dl.delivery.mp.microsoft.com`
+- `*.emdl.ws.microsoft.com`
**For the payloads (optional)**:
-- *.download.windowsupdate.com
-- *.windowsupdate.com
+- `*.download.windowsupdate.com`
+- `*.windowsupdate.com`
+
+**For group peers across multiple NATs (Teredo)**:
+
+- `win1910.ipv6.microsoft.com`
## Does Delivery Optimization use multicast?
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index fee71f1399..4ade882a85 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -147,15 +147,19 @@ S = Supported; Not considered a downgrade or an upgrade
**Destination Edition: (Starting)**
-|Edition|Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise|
-|--- |--- |--- |--- |--- |--- |--- |--- |
-|Home||||||||
-|Pro||||||||
-|Pro for Workstations||||||||
-|Pro Education||||||||
-|Education||✔|✔|✔|||S|
-|Enterprise LTSC||||||||
-|Enterprise||✔|✔|✔|S|||
+ (green checkmark) = Supported downgrade path
+ (blue checkmark) = Not considered a downgrade or an upgrade
+ (X) = not supported or not a downgrade
+
+| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
+| **Home** |  |  |  |  |  |  |  |
+| **Pro** |  |  |  |  |  |  |  |
+| **Pro for Workstations** |  |  |  |  |  |  |  |
+| **Pro Education** |  |  |  |  |  |  |  |
+| **Education** |  |  |  |  |  |  |  |
+| **Enterprise LTSC** |  |  |  |  |  |  |  |
+| **Enterprise** |  |  |  |  |  |  |  |
> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 290eddf758..67df3547c9 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -13,7 +13,7 @@ ms.collection:
search.appverid:
- MET150
ms.topic: article
-ms.date: 06/16/2022
+ms.date: 07/12/2022
---
# Windows 10/11 Subscription Activation
@@ -26,9 +26,11 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to "
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
+If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
+
The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
-See the following articles:
+For more information, see the following articles:
- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise.
- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education.
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 97e466d258..c56b83ed47 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -17,8 +17,9 @@
href: prepare/windows-autopatch-configure-network.md
- name: Enroll your tenant
href: prepare/windows-autopatch-enroll-tenant.md
- - name: Fix issues found by the Readiness assessment tool
- href: prepare/windows-autopatch-fix-issues.md
+ items:
+ - name: Fix issues found by the Readiness assessment tool
+ href: prepare/windows-autopatch-fix-issues.md
- name: Deploy
href: deploy/index.md
items:
@@ -32,33 +33,48 @@
- name: Update management
href: operate/windows-autopatch-update-management.md
items:
- - name: Windows quality updates
- href: operate/windows-autopatch-wqu-overview.md
- items:
- - name: Windows quality end user experience
- href: operate/windows-autopatch-wqu-end-user-exp.md
- - name: Windows quality update signals
- href: operate/windows-autopatch-wqu-signals.md
- - name: Windows quality update communications
+ - name: Windows updates
+ href:
+ items:
+ - name: Windows quality updates
+ href: operate/windows-autopatch-wqu-overview.md
+ items:
+ - name: Windows quality end user experience
+ href: operate/windows-autopatch-wqu-end-user-exp.md
+ - name: Windows quality update signals
+ href: operate/windows-autopatch-wqu-signals.md
+ - name: Windows feature updates
+ href: operate/windows-autopatch-fu-overview.md
+ items:
+ - name: Windows feature end user experience
+ href: operate/windows-autopatch-fu-end-user-exp.md
+ - name: Windows quality and feature update communications
href: operate/windows-autopatch-wqu-communications.md
- - name: Conflicting and unsupported policies
- href: operate/windows-autopatch-wqu-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- - name: Deregister a device
- href: operate/windows-autopatch-deregister-devices.md
+ - name: Maintain the Windows Autopatch environment
+ href: operate/windows-autopatch-maintain-environment.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
+ - name: Deregister a device
+ href: operate/windows-autopatch-deregister-devices.md
+ - name: Unenroll your tenant
+ href: operate/windows-autopatch-unenroll-tenant.md
- name: Reference
href:
items:
+ - name: Update policies
+ href:
+ items:
+ - name: Windows update policies
+ href: operate/windows-autopatch-wqu-unsupported-policies.md
+ - name: Microsoft 365 Apps for enterprise update policies
+ href: references/windows-autopatch-microsoft-365-policies.md
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: Windows Autopatch preview addendum
- href: references/windows-autopatch-preview-addendum.md
-
-
+ href: references/windows-autopatch-preview-addendum.md
\ No newline at end of file
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 2ecfa99202..7793b6cb5d 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -14,9 +14,6 @@ msreviewer: hathind
# Add and verify admin contacts
-> [!IMPORTANT]
-> The Admin contacts blade isn't available during public preview. However, we'll use the admin contacts provided by you during public preview onboarding.
-
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
@@ -34,7 +31,7 @@ Your admin contacts will receive notifications about support request updates and
| Area of focus | Description |
| ----- | ----- |
| Devices |
Device registration
Device health
|
-| Updates |
Windows quality updates
Microsoft 365 Apps for enterprise
Microsoft Teams updates
Microsoft Edge
|
+| Updates |
Windows quality updates
Windows feature updates
Microsoft 365 Apps for enterprise updates
Microsoft Edge updates
Microsoft Teams updates
|
**To add admin contacts:**
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a522a08253..1d44162fb9 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 06/24/2022
+ms.date: 07/06/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -68,16 +68,17 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- - [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
+ - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
- Windows updates policies
- Device configuration
- Office Click-to-run
-- Last Intune device check-in completed within the last 28 days.
+- Last Intune device check in completed within the last 28 days.
+- Devices must have Serial Number, Model and Manufacturer.
+ > [!NOTE]
+ > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
-For more information on how Configuration Manager workloads work, see [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads).
-
-See [Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
+See [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
## About the Ready and Not ready tabs
@@ -96,7 +97,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo
- Intune Service Administrator
- Modern Workplace Intune Administrator
-For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
> [!NOTE]
> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
@@ -110,7 +111,9 @@ Registering your devices in Windows Autopatch does the following:
## Steps to register devices
-**To register devices into Windows Autopatch:**
+### Physical devices
+
+**To register physical devices into Windows Autopatch:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Windows Autopatch** from the left navigation menu.
@@ -121,12 +124,43 @@ Registering your devices in Windows Autopatch does the following:
> [!NOTE]
> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs.
-Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs software-based prerequisite checks to try to register them with its service.
+Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service.
-> [!IMPORTANT]
-> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
+### Virtual devices
-## Additional device management lifecycle scenarios
+#### Windows Autopatch on Windows 365 Enterprise Workloads
+
+With Windows 365 Enterprise, you can include Windows Autopatch onboarding as part of your provision process providing a seamless experience for admins and users to ensure your Cloud PCs are always up to date.
+
+#### Deploy Windows Autopatch on a Windows 365 Provisioning Policy
+
+For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
+
+**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:**
+
+1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+1. In the left pane, select **Devices**.
+1. Navigate to Provisioning > **Windows 365**.
+1. Select Provisioning policies > **Create policy**.
+1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types).
+1. Select **Next**.
+1. Choose the desired image and select **Next**.
+1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) cannot manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue.
+1. Assign your policy accordingly and select **Next**.
+1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
+
+#### Deploy Autopatch on Windows 365 for existing Cloud PC
+
+All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method as your physical devices. For more information, see [Physical devices](#physical-devices).
+
+#### Contact support
+
+Support is available either through Windows 365, or Windows Autopatch for update related incidents.
+
+- For Windows 365 support, see [Get support](/mem/get-support).
+- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request).
+
+## Device management lifecycle scenarios
There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-force-update.png b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png
new file mode 100644
index 0000000000..a1752b7996
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png
new file mode 100644
index 0000000000..0b926b62f6
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png
new file mode 100644
index 0000000000..f05268d372
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png
new file mode 100644
index 0000000000..a0899ccf6c
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png differ
diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md
index 44954ce00f..88dfceb72d 100644
--- a/windows/deployment/windows-autopatch/operate/index.md
+++ b/windows/deployment/windows-autopatch/operate/index.md
@@ -14,12 +14,15 @@ msreviewer: hathind
# Operating with Windows Autopatch
-This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team:
+This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, maintaining your Windows Autopatch environment, how to contact the Windows Autopatch Service Engineering Team, and unenrolling your tenant:
- [Update management](windows-autopatch-update-management.md)
- [Windows quality updates](windows-autopatch-wqu-overview.md)
+- [Windows feature updates](windows-autopatch-fu-overview.md)
- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](windows-autopatch-edge.md)
- [Microsoft Teams updates](windows-autopatch-teams.md)
+- [Maintain the Windows Autopatch environment](windows-autopatch-maintain-environment.md)
- [Deregister devices](windows-autopatch-deregister-devices.md)
- [Submit a support request](windows-autopatch-support-request.md)
+- [Unenroll your tenant](windows-autopatch-unenroll-tenant.md)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index 7fe4c8e3d4..4fe92e457d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -14,7 +14,7 @@ msreviewer: andredm7
# Deregister a device
-To avoid end-user disruption, device de-registration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
+To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
**To deregister a device:**
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
new file mode 100644
index 0000000000..15a138fcdf
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
@@ -0,0 +1,73 @@
+---
+title: Windows feature update end user experience
+description: This article explains the Windows feature update end user experience
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Windows feature update end user experience
+
+Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
+
+## User notifications
+
+In this section we'll review what an end user would see in the following three scenarios:
+
+1. Typical update experience
+2. Feature update deadline forces an update
+3. Feature update grace period
+
+> [!NOTE]
+> Windows Autopatch doesn't yet support feature updates without notifying end users.
+
+### Typical update experience
+
+In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
+
+1. Restart immediately to install the updates
+1. Schedule the installation, or
+1. Snooze (the device will attempt to install outside of active hours.)
+
+In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
+
+:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience":::
+
+### Feature update deadline forces an update
+
+The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours.
+
+The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
+
+:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update":::
+
+### Feature update grace period
+
+In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
+
+Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
+
+:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period":::
+
+## Servicing window
+
+Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
+
+| Policy | Description |
+| ----- | ----- |
+| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
+| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
+
+> [!IMPORTANT]
+> Both policies must be deployed for them to work as expected.
+
+A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
+
+> [!IMPORTANT]
+> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management:
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
new file mode 100644
index 0000000000..8e6075fd7e
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
@@ -0,0 +1,106 @@
+---
+title: Windows feature updates
+description: This article explains how Windows feature updates are managed in Autopatch
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Windows feature updates
+
+## Service level objective
+
+Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates.
+
+## Device eligibility
+
+For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria:
+
+| Criteria | Description |
+| ----- | ----- |
+| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. |
+| Intune sync | Devices must have checked with Intune within the last five days. |
+| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
+| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
+| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
+| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
+| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
+
+## Windows feature update releases
+
+When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout.
+
+The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend.
+
+| Ring | Timeline |
+| ----- | ----- |
+| Test | Release start |
+| First | Release start + 30 days |
+| Fast | Release start + 60 days |
+| Broad | Release start + 90 days |
+
+:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline":::
+
+## New devices to Windows Autopatch
+
+If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria.
+
+If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device.
+
+## Feature update configuration
+
+When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring:
+
+- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows.
+- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates.
+
+| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period |
+| ----- | ----- | ----- | ----- | ----- |
+| Test | 21H2 | 0 | 5 | 0 |
+| First | 21H2 | 0 | 5 | 0 |
+| Fast | 21H2 | 0 | 5 | 2 |
+| Broad | 21H2 | 0 | 5 | 2 |
+
+> [!NOTE]
+> Customers are not able to select a target version for their tenant.
+
+During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline.
+
+To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods effect devices.
+
+| Policy | Description |
+| ----- | ----- |
+| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. |
+| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
+| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
+
+> [!IMPORTANT]
+> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management.
+
+## Windows 11 testing
+
+To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11.
+
+> [!IMPORTANT]
+> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment.
+
+## Pausing and resuming a release
+
+You can pause or resume a Windows feature update from the Release management tab in Microsoft Endpoint Manager.
+
+## Rollback
+
+Windows Autopatch doesn't support the rollback of feature updates.
+
+## Incidents and outages
+
+If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows.
+
+If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
new file mode 100644
index 0000000000..93e03a5de2
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -0,0 +1,30 @@
+---
+title: Maintain the Windows Autopatch environment
+description: This article details how to maintain the Windows Autopatch environment
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Maintain the Windows Autopatch environment
+
+After you've completed enrollment in Windows Autopatch, some management settings might need to be adjusted. Use the following steps:
+
+1. Review the [Microsoft Intune settings](#microsoft-intune-settings) described in the following section.
+1. If any of the items apply to your environment, make the adjustments as described.
+
+> [!NOTE]
+> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
+
+## Microsoft Intune settings
+
+| Setting | Description |
+| ----- | ----- |
+| Conditional access policies | If you create any new conditional access or multi-factor authentication policies related to Azure AD, or Microsoft Intune after Windows Autopatch enrollment, exclude the Modern Workplace Service Accounts Azure AD group from them. For more information, see [Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Windows Autopatch maintains separate conditional access policies to restrict access to these accounts.
**To review the Windows Autopatch conditional access policy (Modern Workplace – Secure Workstation):**
Go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**. Do **not** modify any Azure AD conditional access policies created by Windows Autopatch that have "**Modern Workplace**" in the name.
|
+| Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).
Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
Modern Workplace Update Policy [Broad]-[Windows Autopatch]
Modern Workplace Update Policy [Fast]-[Windows Autopatch]
Modern Workplace Update Policy [First]-[Windows Autopatch]
Modern Workplace Update Policy [Test]-[Windows Autopatch]
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 2175c45a94..8f286647f4 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -82,27 +82,11 @@ Windows Autopatch will either:
Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
-## Conflicting and unsupported policies
+## Compatibility with Servicing Profiles
-Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
+[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
-### Update policies
-
-Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
-
-| Update setting | Value | Usage reason |
-| ----- | ----- | ----- |
-| Set updates to occur automatically | Enabled | Enable automatic updates |
-| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
-| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
-| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
-| Set a deadline by when updates must be applied | 3 | Update deadline |
-| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
-| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
-
-## Microsoft 365 Apps servicing profiles
-
-A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
+A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
new file mode 100644
index 0000000000..03abc5724f
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -0,0 +1,57 @@
+---
+title: Unenroll your tenant
+description: This article explains what unenrollment means for your organization and what actions you must take.
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Unenroll your tenant
+
+If you're looking to unenroll your tenant from Windows Autopatch, this article details what unenrollment means for your organization and what actions you must take.
+
+> [!IMPORTANT]
+> You must be a Global Administrator to unenroll your tenant.
+
+Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:
+
+- Remove Windows Autopatch access to your tenant.
+- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in Deregister a device.
+- Delete all data that we've stored in the Windows Autopatch data storage.
+
+> [!NOTE]
+> We will **not** delete any of your customer or Intune data.
+
+## Microsoft's responsibilities during unenrollment
+
+| Responsibility | Description |
+| ----- | ----- |
+| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). |
+| Windows Autopatch cloud service accounts | Windows Autopatch will remove the cloud service accounts created during the enrollment process. The accounts are:
MsAdmin
MsAdminInt
MsTest
|
+| Conditional access policy | Windows Autopatch will remove the Modern Workplace – Secure Workstation conditional access policy. |
+| Microsoft Endpoint Manager roles | Windows Autopatch will remove the Modern Workplace Intune Admin role. |
+
+## Your responsibilities after unenrolling your tenant
+
+| Responsibility | Description |
+| ----- | ----- |
+| Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
+| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. |
+
+## Unenroll from Windows Autopatch
+
+**To unenroll from Windows Autopatch:**
+
+1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
+1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service.
+ 1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
+ 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
+1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
+1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete.
+1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index ac151e3512..04bdc38aae 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -20,7 +20,8 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
| Update type | Description |
| ----- | ----- |
-| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
+| Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
+| Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md).
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
index 2636932319..555d20ee68 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
@@ -1,5 +1,5 @@
---
-title: End user experience
+title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
ms.date: 05/30/2022
ms.prod: w11
@@ -12,7 +12,7 @@ manager: dougeby
msreviewer: hathind
---
-# End user experience
+# Windows quality update end user experience
Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index 282c602973..e58e36cbfd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -72,8 +72,11 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
-> [!NOTE]
-> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview.
+You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager.
+
+## Rollback
+
+Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md).
## Incidents and outages
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
index a76f93d9c5..1ee72bdfda 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
@@ -1,7 +1,7 @@
---
-title: Conflicting and unsupported policies
-description: This article explains the conflicting and unsupported policies in Windows quality updates
-ms.date: 05/30/2022
+title: Windows update policies
+description: This article explains Windows update policies in Windows Autopatch
+ms.date: 07/07/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -12,11 +12,94 @@ manager: dougeby
msreviewer: hathind
---
-# Conflicting and unsupported policies
+# Windows update policies
+
+## Update rings for Windows 10 and later
+
+The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
+
+**Modern Workplace Update Policy [ring name] – [Windows Autopatch]**
+
+### Windows 10 and later update settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Microsoft product updates | Allow | Allow | Allow | Allow |
+| Windows drivers | Allow | Allow | Allow | Allow |
+| Quality update deferral period | 0 | 1 | 6 | 9 |
+| Feature update deferral period | 0 | 0 | 0 | 0 |
+| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No |
+| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
+| Servicing channel | General availability | General availability | General availability | General availability |
+
+### Windows 10 and later user experience settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Automatic update behaviour | Reset to default | Reset to default | Reset to default | Reset to default |
+| Restart checks | Allow | Allow | Allow | Allow |
+| Option to pause updates | Disable | Disable | Disable | Disable |
+| Option to check for Windows updates | Default | Default | Default | Default |
+| Change notification update level | Default | Default | Default | Default |
+| Deadline for feature updates | 5 | 5 | 5 | 5 |
+| Deadline for quality updates | 0 | 2 | 2 | 5 |
+| Grace period | 0 | 2 | 2 | 2 |
+| Auto-restart before deadline | Yes | Yes | Yes | Yes |
+
+### Windows 10 and later assignments
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Excluded groups | None | None | None | None |
+
+## Feature update policies
+
+The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices.
+
+### Feature updates for Windows 10 and later
+
+These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
+
+**Modern Workplace DSS Policy [ring name]**
+
+#### Feature update deployment settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows |
+| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start |
+
+#### Feature update policy assignments
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Excluded groups | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices |
+
+#### Windows 11 testing
+
+To allow customers to test Windows 11 in their environment, there's a separate DSS policy which enables you to test Windows 11 before broadly adopting within your environment.
+
+##### Windows 11 deployment setting
+
+| Setting name | Test |
+| ----- | ----- |
+| Name | Windows 11 |
+| Rollout options | Immediate start |
+
+##### Windows 11 assignments
+
+| Setting name | Test |
+| ----- | ----- |
+| Included groups | Modern Workplace – Windows 11 Pre-Release Test Devices |
+| Excluded groups | None |
+
+## Conflicting and unsupported policies
Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
-## Update policies
+### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management.
@@ -26,7 +109,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.
This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
-## Group policy
+### Group policy
Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 64041a261e..311d9aee92 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
- ms.date: 06/02/2022
+ ms.date: 07/06/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -25,7 +25,7 @@ sections:
- question: Is Windows 365 for Enterprise supported with Windows Autopatch?
answer: |
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
- - question: Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing?
+ - question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
answer: |
Autopatch isn't available for 'A' or 'F' series licensing.
- question: Will Windows Autopatch support local domain join Windows 10?
@@ -34,6 +34,9 @@ sections:
- question: Will Windows Autopatch be available for state and local government customers?
answer: |
Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers.
+ - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service?
+ answer: |
+ Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch.
- name: Requirements
questions:
- question: What are the prerequisites for Windows Autopatch?
@@ -43,7 +46,7 @@ sections:
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
Additional pre-requisites for devices managed by Configuration Manager:
- - [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements)
+ - [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
@@ -59,6 +62,15 @@ sections:
- question: Can Autopatch customers individually approve or deny devices?
answer: |
No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported.
+ - question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device?
+ answer: |
+ No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
+ answer: |
+ Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ - question: Can I run Autopatch on my Windows 365 Business Workloads?
+ answer: |
+ No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index a724359a90..107f37c50e 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
---
-title: What is Windows Autopatch? (preview)
+title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles
-ms.date: 05/30/2022
+ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -12,10 +12,7 @@ manager: dougeby
msreviewer: hathind
---
-# What is Windows Autopatch? (preview)
-
-> [!IMPORTANT]
-> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).
+# What is Windows Autopatch?
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
@@ -39,6 +36,7 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| Management area | Service level objective |
| ----- | ----- |
| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. |
+| [Windows feature updates](../operate/windows-autopatch-fu-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
@@ -59,33 +57,13 @@ Microsoft remains committed to the security of your data and the [accessibility]
## Need more details?
-### Prepare
+| Area | Description |
+| ----- | ----- |
+| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
|
-The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
+### Have feedback or would like to start a discussion?
-- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
-- [Configure your network](../prepare/windows-autopatch-configure-network.md)
-- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md)
-- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
-
-### Deploy
-
-Once you've enrolled your tenant, this section instructs you to:
-
-- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
-- [Register your devices](../deploy/windows-autopatch-register-devices.md)
-
-### Operate
-
-This section includes the following information about your day-to-day life with the service:
-
-- [Update management](../operate/windows-autopatch-update-management.md)
-- [Submit a support request](../operate/windows-autopatch-support-request.md)
-- [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
-
-### References
-
-This section includes the following articles:
-
-- [Privacy](../references/windows-autopatch-privacy.md)
-- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
+You can [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).
diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md
index 71ba6f2d78..903d732865 100644
--- a/windows/deployment/windows-autopatch/prepare/index.md
+++ b/windows/deployment/windows-autopatch/prepare/index.md
@@ -19,4 +19,4 @@ The following articles describe the steps you must take to onboard with Windows
1. [Review the prerequisites](windows-autopatch-prerequisites.md)
1. [Configure your network](windows-autopatch-configure-network.md)
1. [Enroll your tenant](windows-autopatch-enroll-tenant.md)
-1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)
+ 1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index a1fb48b746..93a0fbe3bd 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -32,7 +32,7 @@ The Windows Autopatch URL is used for anything our service runs on the customer
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch |
mmdcustomer.microsoft.com
mmdls.microsoft.com
|
+| Windows Autopatch |
mmdcustomer.microsoft.com
mmdls.microsoft.com
logcollection.mmd.microsoft.com
support.mmd.microsoft.com
|
### Required Microsoft product endpoints
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index c594bece89..99940fe13f 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
-ms.date: 05/30/2022
+ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -16,7 +16,10 @@ msreviewer: hathind
Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time.
-The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch.
+> [!IMPORTANT]
+> You must be a Global Administrator to enroll your tenant.
+
+The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@@ -27,18 +30,18 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
> [!IMPORTANT]
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
-The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
**To access and run the Readiness assessment tool:**
> [!IMPORTANT]
-> You must be a Global Administrator to enroll your tenant.
+> You must be a Global Administrator to run the Readiness assessment tool.
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
> [!IMPORTANT]
-> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md).
+> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses).
A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies).
@@ -50,8 +53,8 @@ The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
-| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. |
-| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. |
+| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure update rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
+| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). |
### Azure Active Directory settings
@@ -59,38 +62,27 @@ The following are the Azure Active Directory settings:
| Check | Description |
| ----- | ----- |
-| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.
Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
-| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. |
+| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.
Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication. For more information, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
+| Windows Autopatch cloud service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are:
MsAdmin
MsAdminInt
MsTest
For more information, see [Tenant access](../references/windows-autopatch-privacy.md#tenant-access). |
| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. |
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
+### Check results
+
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. |
-| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
+| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
-### Seeing issues with your tenant?
+## Step 3: Fix issues with your tenant
If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate.
-### Delete data collected from the Readiness assessment tool
-
-Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool.
-
-> [!NOTE]
-> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
-
-**To delete the data we collect:**
-
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-2. Navigate to Windows Autopatch > **Tenant enrollment**.
-3. Select **Delete all data**.
-
-## Step 3: Enroll your tenant
+## Step 4: Enroll your tenant
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
@@ -105,4 +97,24 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s
- Provide Windows Autopatch with IT admin contacts.
- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service.
-Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).
+Once these actions are complete, you've now successfully enrolled your tenant.
+
+### Delete data collected from the Readiness assessment tool
+
+You can choose to delete the data we collect directly within the Readiness assessment tool.
+
+Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form.
+
+> [!NOTE]
+> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
+
+**To delete the data we collect:**
+
+1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+2. Navigate to Windows Autopatch > **Tenant enrollment**.
+3. Select **Delete all data**.
+
+## Next steps
+
+1. Maintain your [Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
+1. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index b9f8c7b372..13b48f4d5d 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -14,13 +14,17 @@ msreviewer: hathind
# Fix issues found by the Readiness assessment tool
+Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
+
+## Check results
+
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. |
-| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
+| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
> [!NOTE]
@@ -44,8 +48,8 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop
| Result | Meaning |
| ----- | ----- |
-| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
-| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch. This advisory is flagging an action you should take after enrolling into the service:
Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |
+| Not ready | You have an "update ring" policy that targets all devices, all users, or both.
To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
+| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.
You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
|
## Azure Active Directory settings
@@ -68,13 +72,13 @@ Windows Autopatch requires the following licenses:
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
-### Windows Autopatch service accounts
+### Windows Autopatch cloud service accounts
Certain account names could conflict with account names created by Windows Autopatch.
| Result | Meaning |
| ----- | ----- |
-| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk. |
+| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. The cloud service accounts are:
MsAdmin
MsAdminInt
MsTest
You must either rename or remove conflicting accounts to move forward with enrolling to the Windows Autopatch service as we'll create these accounts as part of running our service. For more information, see [Tenant Access](../references/windows-autopatch-privacy.md#tenant-access).
|
### Security defaults
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 5d377d6e50..e5755ced5e 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 05/30/2022
+ms.date: 06/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -16,12 +16,15 @@ msreviewer: hathind
Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch.
+> [!NOTE]
+> For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch.
+
| Area | Prerequisite details |
| ----- | ----- |
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
|
-| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
Devices managed only by Microsoft Endpoint Configuration Manager aren't supported.
Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won't be registered with Autopatch.
Devices must be connected to the internet.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
+| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
Devices must be connected to the internet.
Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).
|
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses
@@ -42,7 +45,7 @@ The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
-## Co-management requirements
+## Configuration Manager Co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
new file mode 100644
index 0000000000..92295357e9
--- /dev/null
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -0,0 +1,33 @@
+---
+title: Microsoft 365 Apps for enterprise update policies
+description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Microsoft 365 Apps for enterprise update policies
+
+## Conflicting and unsupported policies
+
+Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
+
+### Update policies
+
+Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
+
+| Update setting | Value | Usage reason |
+| ----- | ----- | ----- |
+| Set updates to occur automatically | Enabled | Enable automatic updates |
+| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
+| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
+| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
+| Set a deadline by when updates must be applied | 3 | Update deadline |
+| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
+| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index 7d992eafee..ee8956decd 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -58,11 +58,21 @@ Windows Autopatch only processes and stores system-level data from Windows 10 op
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
+## Tenant access
+
+Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
+
+| Account name | Usage | Mitigating controls |
+| ----- | ----- | -----|
+| MsAdmin@tenantDomain.onmicrosoft.com |
This is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.
This account doesn't have interactive login permissions. The account performs operations only through the service.
This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
This account is used for interactive login to the customer’s tenant.
The use of this account is extremely limited as most operations are exclusively through MsAdmin (non-interactive) account.
|
Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
Audited sign-ins |
+| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
+
## Microsoft Windows Update for Business
Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
-## Microsft Azure Active Directory
+## Microsoft Azure Active Directory
Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index d568f05eef..0164891a96 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -11,7 +11,7 @@ ms.collection:
- M365-modern-desktop
- highpri
ms.topic: tutorial
-ms.date: 05/12/2022
+ms.date: 07/12/2022
---
# Demonstrate Autopilot deployment
@@ -42,14 +42,11 @@ You'll need the following components to complete this lab:
| Component | Description |
|:---|:---|
-|**Windows 10 installation media**|Windows 10 Professional or Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an evaluation version of Windows 10 Enterprise.|
+|**Windows 10 installation media**|Windows 10 Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).|
|**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.|
|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
-> [!NOTE]
-> The Microsoft Evaluation Center is temporarily unavailable. To access Windows client evaluation media, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
-
## Procedures
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
@@ -142,10 +139,7 @@ After you determine the ISO file location and the name of the appropriate networ
### Set ISO file location
-Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise. Choose a 64-bit version.
-
-> [!NOTE]
-> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).
+Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). Choose a 64-bit version.
After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso`
@@ -180,7 +174,8 @@ All VM data will be created under the current path in your PowerShell prompt. Co
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
-New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+New-VM -Name WindowsAutopilot -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+Set-VMProcessor WindowsAutopilot -Count 2
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
```
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index b672974ebd..06dbd93c71 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -74,18 +74,59 @@ The following provides information on the current configurations:
- [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)
-## New Windows diagnostic data processor configuration
+## Significant changes coming to the Windows diagnostic data processor configuration
-> [!IMPORTANT]
-> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
-Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory-joined devices. This configuration option is supported on the following versions of Windows:
+To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
-- Windows 11 Enterprise, Professional, and Education
-- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update.
+***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.***
-Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
+We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
-Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller.
+### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
-This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
+
+From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
+
+### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
+
+For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
+
+- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
+- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
+- [Microsoft Managed Desktop](/managed-desktop/intro/)
+- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
+
+*(Additional licensing requirements may apply to use these services.)*
+
+If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
+
+> [!NOTE]
+> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+
+### Rollout plan for this change
+
+This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
+
+During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
+
+- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
+- The processor configuration will be disabled in any devices that were previously enabled.
+- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+
+It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
+
+For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+
+For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
+
+To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
+
+As part of this change, the following policies will no longer be supported to configure the processor option:
+ - Allow commercial data pipeline
+ - Allow Desktop Analytics Processing
+ - Allow Update Compliance Processing
+ - Allow WUfB Cloud Processing
+ - Configure the Commercial ID
\ No newline at end of file
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 9278a481b7..54a53c7426 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -85,7 +85,7 @@ The following table lists the endpoints related to how you can manage the collec
|Connected User Experiences and Telemetry | v10.events.data.microsoft.com v10c.events.data.microsoft.com v10.vortex-win.data.microsoft.com |
| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com umwatsonc.events.data.microsoft.com *-umwatsonc.events.data.microsoft.com ceuswatcab01.blob.core.windows.net ceuswatcab02.blob.core.windows.net eaus2watcab01.blob.core.windows.net eaus2watcab02.blob.core.windows.net weus2watcab01.blob.core.windows.net weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com
IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
-| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.microsoft.com kmwatsonc.telemetry.microsoft.com *-kmwatsonc.telemetry.microsoft.com |
+| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com oca.microsoft.com kmwatsonc.events.data.microsoft.com *-kmwatsonc.events.data.microsoft.com |
|Settings | settings-win.data.microsoft.com
IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. |
### Data access
@@ -256,7 +256,7 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm
## Enable Windows diagnostic data processor configuration
> [!IMPORTANT]
-> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.
@@ -267,7 +267,7 @@ The Windows diagnostic data processor configuration enables you to be the contro
- Enterprise
- Professional
- Education
-- The device must be joined to Azure Active Directory.
+- The device must be joined to Azure Active Directory (can be a hybrid Azure AD join).
For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education)
@@ -325,63 +325,6 @@ Windows Update for Business:
- [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections)
-### Significant changes coming to the Windows diagnostic data processor configuration
-
-Currently, to enroll devices in the Window diagnostic data processor configuration option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
-
-To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
-
-***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.***
-
-We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
-
-#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
-
-For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
-
-From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
-
-#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
-
-For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
-
-- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
-- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
-- [Microsoft Managed Desktop](/managed-desktop/intro/)
-- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
-
-*(Additional licensing requirements may apply to use these services.)*
-
-If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
-
-> [!NOTE]
-> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-#### Rollout plan for this change
-
-This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
-
-During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
-
-- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
-- The processor configuration will be disabled in any devices that were previously enabled.
-- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
-
-For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
-
-To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
-
-As part of this change, the following policies will no longer be supported to configure the processor option:
- - Allow commercial data pipeline
- - Allow Desktop Analytics Processing
- - Allow Update Compliance Processing
- - Allow WUfB Cloud Processing
- - Configure the Commercial ID
-
## Limit optional diagnostic data for Desktop Analytics
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing).
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 831b6eb589..e4e7e22ec9 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -147,7 +147,7 @@ An administrator can disable a user’s ability to delete their device’s diagn
#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
> [!IMPORTANT]
-> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
**Applies to:**
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 2ba26987bb..2dfc4dc841 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -2,10 +2,6 @@
title: Access Control Overview (Windows 10)
description: Access Control Overview
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index f2d6c64736..404f1abb50 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -2,10 +2,6 @@
title: Active Directory Accounts (Windows 10)
description: Active Directory Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 2ec117c8b9..7a469d0fc0 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2,10 +2,6 @@
title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index c68a4e721f..b19feb4975 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -2,10 +2,6 @@
title: Dynamic Access Control Overview (Windows 10)
description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 655ef0f5b4..654b12daed 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,10 +2,6 @@
title: Local Accounts (Windows 10)
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 992afda9d6..7d9575a8f4 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -2,10 +2,6 @@
title: Microsoft Accounts (Windows 10)
description: Microsoft Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 8564378d9c..eebc241c56 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -2,10 +2,6 @@
title: Security identifiers (Windows 10)
description: Security identifiers
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index d6bdc4569e..3120899040 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -2,10 +2,6 @@
title: Security Principals (Windows 10)
description: Security Principals
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index 2614ab30e4..cd6db0f4f7 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -2,10 +2,6 @@
title: Service Accounts (Windows 10)
description: Service Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index db7379ba1f..82f5cbbcda 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -3,10 +3,6 @@ title: Special Identities (Windows 10)
description: Special Identities
ms.prod: m365-security
ms.technology: windows-sec
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index c6922f3901..9184e9a43d 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,14 +1,8 @@
---
title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
ms.reviewer:
-keywords: encrypt, digital signature
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 9ca5657e1d..5be4c34c1e 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -2,11 +2,7 @@
title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index f9dce14935..7b1cc141be 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -2,11 +2,7 @@
title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -26,27 +22,27 @@ ms.reviewer:
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported.
## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
## 3rd Party Security Support Providers Considerations
-Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
## Upgrade Considerations
As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
### Saved Windows Credentials Protected
-Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+* Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
* Applications that extract Windows credentials fail.
-* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials.
## Clearing TPM Considerations
Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
@@ -61,17 +57,17 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a
> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup.
### Windows credentials saved to Credential Manager
-Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
### Domain-joined device’s automatically provisioned public key
Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
### Breaking DPAPI on domain-joined devices
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible.
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
>[!IMPORTANT]
> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
@@ -79,11 +75,11 @@ Auto VPN configuration is protected with user DPAPI. User may not be able to use
If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
|Credential Type | Windows version | Behavior
|---|---|---|
-| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
@@ -91,7 +87,7 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
#### Impact of DPAPI failures on Windows Information Protection
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 0d09f98a43..787063e450 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -2,11 +2,7 @@
title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -25,13 +21,13 @@ ms.reviewer:
- Windows Server 2019
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 7d71cc00ce..0d96d6c124 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard - Known issues (Windows)
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b63bf80703..a2392e3e3c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -2,11 +2,7 @@
title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: v-tappelgate
manager: dansimp
@@ -53,19 +49,21 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
To enforce processing of the group policy, you can run `gpupdate /force`.
-### Enable Windows Defender Credential Guard by using Intune
+### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager
-1. From **Home**, select **Microsoft Intune**.
+1. From **Microsoft Endpoint Manager admin center**, select **Devices**.
-1. Select **Device configuration**.
+1. Select **Configuration Profiles**.
-1. Select **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
+1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
- > [!NOTE]
- > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
+ 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings.
+
+> [!NOTE]
+> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
> [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
### Enable Windows Defender Credential Guard by using the registry
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 170018c2c2..fba979bcbb 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits & mitigations (Windows)
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 9cab64d757..1b47f91c82 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -28,18 +24,18 @@ Some ways to store credentials are not protected by Windows Defender Credential
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
-- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
-- Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
-- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
+- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
+- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
-do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
## See also
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 4762a25d8b..cd0217dffe 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard Requirements (Windows)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index 709bc9de64..ac96f2cc37 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -2,11 +2,7 @@
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 4153f5223b..08cb1d98b8 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,14 +1,9 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -43,3 +38,8 @@ By enabling Windows Defender Credential Guard, the following features and soluti
- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11))
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10))
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
+- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode)
+- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel)
+- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert)
+- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert)
+- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin)
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index a3c6d35840..1128ef5604 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -2,11 +2,7 @@
title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: SteveSyfuhs
ms.author: stsyfuhs
manager: dansimp
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index b41236db4a..bba1605784 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,9 +1,6 @@
---
title: Enterprise Certificate Pinning
-ms.mktglfcycl: manage
-ms.sitesec: library
description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
@@ -11,7 +8,6 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: m365-security
ms.technology: windows-sec
-ms.pagetype: security
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 9b8365686e..af4b0207cd 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -2,10 +2,6 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index bb8984236d..46c5ce15d2 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,12 +1,7 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 0ea88cb07e..a22fdc4c4b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,12 +1,7 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
-keywords: identity, Hello, Active Directory, cloud,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index cbaecf9da3..201f155223 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,12 +1,7 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index ce4fee62d1..409d7ad594 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,13 +1,8 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index fb5244ee95..1b7fc74348 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,13 +1,7 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
-keywords: Windows Hello, enterprise biometrics
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index c9023f3eab..7c1152e8bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 18e5489911..eda6b35e15 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -60,7 +55,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
3. Right-click **Group Policy object** and select **New**.
4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration**.
+6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**.
@@ -70,7 +65,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-4. In the navigation pane, expand **Policies** under **User Configuration**.
+4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
7. Select **Enabled** from the **Configuration Model** list.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 53a69d9ca8..281f5bf449 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,12 +1,7 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -25,7 +20,10 @@ ms.reviewer:
- On-premises deployment
- Certificate trust
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
+The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+
+> [!NOTE]
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index baa09b6712..865759bf10 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 1972c3d210..d6356353aa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index ca84dfc5d4..278560bbc5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 1a167b69c6..afe7fdf157 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 0b7c8c940f..47d8b38c53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,13 +1,8 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-keywords: identity, PIN, biometric, Hello, passport
params: siblings_only
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 0798dee5a2..280f51120d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 2ce62675f6..5df469ff3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,12 +1,7 @@
---
title: Deploying Certificates to Key Trust Users to Enable RDP
description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 194607bd44..631d982e36 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,13 +1,7 @@
---
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
-ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
-keywords: PIN, error, create a work PIN
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index c5e10be931..3e481d0f4d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,14 +1,8 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
ms.reviewer:
-keywords: ngc
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index ac9768add5..5dac00754e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,12 +1,7 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 066da6e651..445df8f5a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,12 +1,7 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 7025fb4173..bdd56753a1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,19 +1,14 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 09/09/2019
+ms.date: 07/12/2022
ms.reviewer:
---
@@ -25,6 +20,9 @@ ms.reviewer:
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+> [!IMPORTANT]
+> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
+
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 4158e8838a..2ee149c236 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,12 +1,7 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
-keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index fc797a8b6e..b622e6277f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,12 +1,7 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 443d3adc15..76b94b5ddb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 96b5a3b434..c81ed991e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index a7e607516e..bd667aac11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Technology and Terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 23efa578c0..768b3a0e02 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 2029789901..51f303b2ba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,12 +1,7 @@
---
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 807592de85..5b24b0b2ab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,12 +1,7 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -98,7 +93,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent.
-4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**.
+4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**.
> [!NOTE]
> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -814,143 +809,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
-### Download Intune Certificate Connector
-
-Sign-in a workstation with access equivalent to a _domain user_.
-
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-
-2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
-
-3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
-
- 
-
-4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
-
-5. Sign-out of the Microsoft Endpoint Manager admin center.
-
-### Install the Intune Certificate Connector
-
-Sign-in the NDES server with access equivalent to _domain administrator_.
-
-1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
-
-2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
-
-3. On the **Microsoft Intune** page, click **Next**.
-
- 
-
-4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
-
-5. On the **Destination Folder** page, click **Next**.
-
-6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
-
- 
-
-7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
-
- 
-
- > [!NOTE]
- > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
-
-8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
-
-9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
-
- 
-
- > [!NOTE]
- > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
-
-10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
-
- 
-
-### Configure the Intune Certificate Connector
-
-Sign-in the NDES server with access equivalent to _domain administrator_.
-
-1. The **NDES Connector** user interface should be open from the last task.
-
- > [!NOTE]
- > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
-
-2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
-
- 
-
-3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
-
- 
-
- > [!IMPORTANT]
- > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails.
-
-4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
-
+To learn how to download, install, and configure the Intune Certificate Connector, see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install).
### Configure the NDES Connector for certificate revocation (**Optional**)
-Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
+Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
-#### Enabling the NDES Service account for revocation
+1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
-Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
+2. Start the **Certification Authority** management console.
-1. Start the **Certification Authority** management console.
+3. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-
-3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
+4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**.
-4. Close the **Certification Authority**
-
-#### Enable the NDES Connector for certificate revocation
-
-Sign-in the NDES server with access equivalent to _domain administrator_.
-
-1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
-
-2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
-
- 
-
-3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
-
-### Test the NDES Connector
-
-Sign-in the NDES server with access equivalent to _domain admin_.
-
-1. Open a command prompt.
-
-2. Type the following command to confirm the NDES Connector's last connection time is current.
-
- ```console
- reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
- ```
-
-3. Close the command prompt.
-
-4. Open **Internet Explorer**.
-
-5. In the navigation bar, type:
-
- ```console
- https://[fqdnHostName]/certsrv/mscep/mscep.dll
- ```
-
- where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
- A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-
- 
-
-6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
+5. Close the **Certification Authority**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 6d2ac37a80..1acba0f5b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,12 +1,7 @@
---
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 6de21388aa..546fe98a8e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index c45b19aa4d..2d15af954c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6432ef517b..edba57fd05 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index bec180c498..f9c3cf3feb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index f3d6ed1281..f6e69dad32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 94462ebe1d..f8b0c788c1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 93dcb39b92..ed13229f6a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 7ef3176f22..3dea044165 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index e6408a1ce4..0a7da03055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index a7bc32dc4c..bba12adf27 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index dcffcfc154..ec22d31a65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index f8d135a315..1f4f7f1f17 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -23,7 +18,7 @@ Applies to
- Windows 10, version 21H2
- Windows 11 and later
-Windows Hello for Business replaces username and password Windows sign in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
## Introduction to Cloud Trust
@@ -48,6 +43,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec
More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
+If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+
## Prerequisites
| Requirement | Notes |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 4f8c8153c4..66a720d026 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 90cbd52d95..4d064c210c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 705b84df66..299e93c00c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -1,12 +1,7 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 90aaa2b968..0850fae7f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: mapalko
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index db6d3e0a33..833968247b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index c7dd159a00..925d6d12e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 46ba983c83..bbdde28351 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index b964f460e9..0ed4142f70 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 418298f89e..a43a8e5673 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index d98732f5c2..26b31e209b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 38b7194d9c..29c29de56f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4135615f1c..185768fe63 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,13 +1,7 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index d608421337..d2c141ca3a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index b67d63f1b7..5baf31a055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 2ba08c716b..c8227d9536 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,13 +1,8 @@
---
title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
author: GitPrakhar13
-audience: ITPro
ms.author: prsriva
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index e0d299b2df..968ae0d5b0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index debf3022c5..809720fdba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 4b44e661ec..c38b18d8a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,13 +1,7 @@
---
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
-ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 86a2a82c99..12ccee58a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -2,12 +2,7 @@
title: Windows Hello for Business Overview (Windows)
ms.reviewer: An overview of Windows Hello for Business
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 7436890316..3212485067 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,12 +1,7 @@
---
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 8ab37765f1..6b57daee9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,14 +1,8 @@
---
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
ms.reviewer:
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 013f236742..ab3bdc0500 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 6c4c54aee9..ef30d59ed1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,13 +1,7 @@
---
title: Why a PIN is better than an online password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
-ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-keywords: pin, security, password, hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 556f49c888..75645f288d 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,12 +1,7 @@
---
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
-keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 8ca6538d48..74765dffac 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -251,7 +251,7 @@ You can use Group Policy to deploy an administrative template policy setting to
:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
-The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`.
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index 99df1a799a..e2f9b9e978 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,12 +1,7 @@
---
title: Reset-security-key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
-keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index a3f4153369..29e42655ab 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -2,9 +2,6 @@
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: mapalko
ms.localizationpriority: high
ms.author: mapalko
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index 7883dbd5b9..330cc0041d 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -2,10 +2,6 @@
title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index 88d73b87aa..5cc29b63a0 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -8,18 +8,15 @@ ms.custom:
- CSSTroubleshoot
ms.author: v-tappelgate
ms.prod: m365-security
-ms.sitesec: library
-ms.pagetype: security
author: Teresa-Motiv
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/20/2019
-audience: ITPro
---
# Technical support policy for lost or forgotten passwords
-Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
+Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
@@ -31,7 +28,7 @@ If you lose or forget the password for a domain account, contact your IT adminis
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
-This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action.
+This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
## How to reset a password for a local account on a Windows device
@@ -51,8 +48,8 @@ If you lose or forget the password for the hardware BIOS of a device, contact th
## How to reset a password for an individual file
-Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords.
+Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
## Using third-party password tools
-Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
+Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index e919cee245..a477d48218 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,10 +2,6 @@
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 99de6899d4..101b50087d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,10 +2,6 @@
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 3ce6180ae9..ddc63b2e02 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,10 +2,6 @@
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 1ad9d49a24..ad0699cf6a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,10 +2,6 @@
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index eea206d53d..701f3dccd8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,10 +2,6 @@
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index f557a5a713..50881d1ef8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -2,10 +2,6 @@
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 0d7a79fdac..9585fdfb5e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,10 +2,6 @@
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index a74dfed7b2..897140b630 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index d6656c1427..9fb023c25f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,10 +2,6 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 77c8c9d18b..5757f75aa1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,10 +2,6 @@
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 0d26cf1289..0345ccac67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,10 +2,6 @@
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 935f57edf3..a7c1c2bfa4 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 377f4811d2..7f577b80dd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,10 +2,6 @@
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index bbc7256c6d..ded2f140d2 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -1,13 +1,8 @@
---
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: operate
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 98cfc580cb..eb97277ed7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -2,10 +2,6 @@
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 3d91177ca0..2e12c5d66e 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -1,14 +1,9 @@
---
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
-ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: operate
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 4b29de5fe4..d5a71d6a7b 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,13 +1,8 @@
---
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
-ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 7b01e6dec2..a6b311b8f1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,10 +2,6 @@
title: Deploy Virtual Smart Cards (Windows 10)
description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 852c4af6d4..cb90ff6746 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -2,10 +2,6 @@
title: Evaluate Virtual Smart Card Security (Windows 10)
description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 799487b7f9..a1371cb4aa 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -2,10 +2,6 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index cfdee83c74..f81458d9ea 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -2,10 +2,6 @@
title: Virtual Smart Card Overview (Windows 10)
description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 48cbc570a2..e6674037f9 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -2,10 +2,6 @@
title: Tpmvscmgr (Windows 10)
description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index f64d08cdbe..49bd1fbfff 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -2,10 +2,6 @@
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index da45445e1a..3d09432ada 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -2,10 +2,6 @@
title: Use Virtual Smart Cards (Windows 10)
description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 9e47da731c..647e58e84b 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -2,9 +2,6 @@
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a3e52561e5..317751d40d 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -2,9 +2,6 @@
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.date: 03/22/2022
ms.reviewer:
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 70d6af4858..65de4f3780 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -2,9 +2,6 @@
title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 441d05936f..8b3e2dbebd 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -2,9 +2,6 @@
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index ec2a6bed29..0912af9374 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -2,9 +2,6 @@
title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 75cbde62de..75b93889b6 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -2,9 +2,6 @@
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 08/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 58f9b162de..58fa8e9068 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -2,8 +2,6 @@
title: Windows VPN technical guide (Windows 10 and Windows 11)
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.date: 02/21/2022
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index a07cf8e0c7..fe3269e28b 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -2,9 +2,6 @@
title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index a0a8aecf5e..2022a4e863 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -2,10 +2,6 @@
title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client
description: tbd
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
-audience: ITPro
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index cca873649e..b0cd4195ee 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,13 +1,9 @@
---
title: VPN profile options (Windows 10 and Windows 11)
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
ms.reviewer:
manager: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 3ba700ab9e..291f5adaf9 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -2,9 +2,6 @@
title: VPN routing decisions (Windows 10 and Windows 10)
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 31f424f860..2efb2617f3 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -2,9 +2,6 @@
title: VPN security features (Windows 10 and Windows 11)
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/03/2021
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 0465f35ec4..abe5fd0462 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -1,13 +1,8 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
-ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index 2048d9f516..89b07558ea 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -1,17 +1,12 @@
---
title: Improve request performance
description: Improve request performance
-keywords: server, request, performance
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
index 536dab4a74..288e5a9769 100644
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ b/windows/security/includes/microsoft-defender-api-usgov.md
@@ -1,17 +1,12 @@
---
title: Microsoft Defender for Endpoint API URIs for US Government
description: Microsoft Defender for Endpoint API URIs for US Government
-keywords: defender, endpoint, api, government, gov
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index fea16b36fc..6c6d9669a2 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,17 +1,12 @@
---
title: BCD settings and BitLocker (Windows 10)
description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
-ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 6bb70b5515..f5a1fecb16 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,17 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 619291134f..4f129193e8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -1,17 +1,12 @@
---
title: BitLocker Countermeasures (Windows 10)
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index df216aa4e3..68c9d667d6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -2,14 +2,10 @@
title: BitLocker deployment comparison (Windows 10)
description: This article shows the BitLocker deployment comparison chart.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: lovina-saldanha
ms.author: v-lsaldanha
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/20/2021
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 359a620b10..e1d313bfbc 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -2,14 +2,10 @@
title: Overview of BitLocker Device Encryption in Windows
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 442bafb9c2..7f02986150 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1,17 +1,12 @@
---
title: BitLocker Group Policy settings (Windows 10)
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index f743aedb8a..c8b01291fb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -1,17 +1,12 @@
---
title: BitLocker How to deploy on Windows Server 2012 and later
description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
-ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index da9fd23653..efdb32240c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -1,17 +1,12 @@
---
title: BitLocker - How to enable Network Unlock (Windows 10)
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 1b234aad34..faf5dfd19a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -2,14 +2,10 @@
title: BitLocker Management Recommendations for Enterprises (Windows 10)
description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 41c1be27f1..92b67559cf 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -1,16 +1,11 @@
---
title: BitLocker
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 88a6971b32..28426e5d60 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,17 +1,12 @@
---
title: BitLocker recovery guide (Windows 10)
description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
-ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index f33bdd77ff..15738e7ad1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,17 +1,12 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
description: This article for the IT professional describes how to use tools to manage BitLocker.
-ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 53a8a654a2..dd79eb176a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -1,17 +1,12 @@
---
title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
-ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index ba7ecc2d18..4cda103d80 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -1,17 +1,12 @@
---
title: Prepare your organization for BitLocker Planning and policies (Windows 10)
description: This topic for the IT professional explains how can you plan your BitLocker deployment.
-ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index d176a4f457..1d51dfda83 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,17 +1,12 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
-ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 89bcd638f5..7242269177 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -4,12 +4,10 @@ description: Describes approaches for investigating BitLocker issues, including
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index 5da7725f1d..ef0e081dee 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -4,12 +4,10 @@ description: Provides guidance for troubleshooting known issues that may prevent
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
index 2609cccafb..cff0ac038d 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@@ -4,12 +4,10 @@ description: Provides guidance for troubleshooting known issues that may prevent
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
index 6898a72c8c..0cd7aa0c07 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@@ -4,12 +4,10 @@ description: Describes common issues that involve your BitLocker configuration a
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index 101da7a83b..c36cc4ab98 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -4,12 +4,10 @@ description: Provides instructions for installing and using a tool for analyzing
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index a15efdcb28..abea61f37e 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -4,12 +4,10 @@ description: provides assistance for issues that you may see if you use Microsof
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
index df10782087..d10158fc36 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n
ms.technology: windows-sec
ms.prod: m365-security
ms.localizationpriority: medium
-author: Teresa-Motiv
+author: v-tappelgate
ms.author: v-tappelgate
manager: kaushika
ms.reviewer: kaushika
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
index cd0ae7ec94..163cc0e029 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -4,12 +4,10 @@ description: Describes common issues that can occur that prevent BitLocker from
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
index fe62dc41cc..6a0c6cf979 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@@ -4,12 +4,10 @@ description: Describes common issues that relate directly to the TPM, and provid
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 7fe79ded9f..6cf2060ecb 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -1,14 +1,10 @@
---
title: Encrypted Hard Drive (Windows)
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
ms.date: 04/02/2019
---
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 1d0b0ea803..4460e09f34 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -91,8 +91,11 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows.
- >[!NOTE]
- > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
+ > [!NOTE]
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+
+ > [!NOTE]
+ > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 5356f4bc2d..3ad6efecd1 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -1,16 +1,11 @@
---
title: Back up the TPM recovery information to AD DS (Windows)
description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
-ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/03/2021
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index 7260afb4d5..4337bd6dac 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -1,16 +1,11 @@
---
title: Change the TPM owner password (Windows)
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/18/2022
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index c54c2521ad..9b2fa9a1f7 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -1,17 +1,12 @@
---
title: How Windows uses the TPM
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
-ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index a4f56fec1e..b6e14ea7da 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,16 +1,11 @@
---
title: Troubleshoot the TPM (Windows)
description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
-ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
index f998c94a96..697fdc3840 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -1,15 +1,10 @@
---
title: Manage TPM commands (Windows)
description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index 814498c4c7..a28ed8f612 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -1,16 +1,11 @@
---
title: Manage TPM lockout (Windows)
description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/06/2021
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index dff3ed5386..22a4d729b0 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,16 +1,11 @@
---
title: Understanding PCR banks on TPM 2.0 devices (Windows)
description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 972a59fcc1..391fb0e733 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -1,16 +1,11 @@
---
title: Trusted Platform Module (TPM) fundamentals (Windows)
description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
-ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 5a343e626c..1790a62ef4 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -1,17 +1,12 @@
---
title: TPM recommendations (Windows)
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
-ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 07705c394b..942d2ff588 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -1,17 +1,12 @@
---
title: Trusted Platform Module Technology Overview (Windows)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.assetid: face8932-b034-4319-86ac-db1163d46538
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: high
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index c70105fc3b..5dadb45989 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,16 +1,11 @@
---
title: TPM Group Policy settings (Windows)
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index c1799559bf..85807ba447 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -2,14 +2,10 @@
title: Trusted Platform Module (Windows)
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 57044c576d..4d6e18a29e 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -1,16 +1,11 @@
---
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
-keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index f7bfc44de4..49dd0c2647 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -2,14 +2,10 @@
title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 1b4ece02db..3f1a5747a9 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -1,16 +1,11 @@
---
title: Make & verify an EFS Data Recovery Agent certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 3c7680cf51..de0d27d47c 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -1,16 +1,11 @@
---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
-keywords: WIP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index fdbf865d8a..0c4214d344 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -1,18 +1,12 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
-ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/09/2020
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 3fa8df029b..39ff0696bb 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -2,13 +2,9 @@
title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/13/2019
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index c81eea7fca..d097f3b77a 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -1,16 +1,11 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 21a45af6ca..021ea7ed44 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -1,18 +1,12 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
-ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/02/2019
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 1f6aaa6f4e..df344aface 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -1,18 +1,12 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
-ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 18726f1c02..d984b38ce8 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -1,15 +1,10 @@
---
title: Limitations while using Windows Information Protection (WIP) (Windows 10)
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 6c2ccfde53..26beadd011 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -1,16 +1,11 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/25/2022
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index c017a7e4f6..f60db36a4f 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,17 +1,12 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 348af05f36..9c4593f028 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,17 +1,12 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/11/2019
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 89d703af97..f5e201aa75 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -1,17 +1,11 @@
---
title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
-ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, DLP, data loss prevention, data leakage protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index c55f4fe75b..14f23ff7f7 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -1,16 +1,11 @@
---
title: Recommended URLs for Windows Information Protection (Windows 10)
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/25/2019
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 247a47ecf5..4f2fdaa90d 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -1,18 +1,12 @@
---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index c1188fad4b..78349eb5ab 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -1,16 +1,11 @@
---
title: Using Outlook on the web with WIP (Windows 10)
description: Options for using Outlook on the web with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 84dae48f11..20d519622f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -1,16 +1,11 @@
---
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 4a0981cf1f..5d9db2a678 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -223,7 +223,7 @@ Value | Description
**4.** | If present, Secure Memory Overwrite is available.
**5.** | If present, NX protections are available.
**6.** | If present, SMM mitigations are available.
-**7.** | If present, Mode Based Execution Control is available.
+**7.** | If present, MBEC/GMET is available.
**8.** | If present, APIC virtualization is available.
#### InstanceIdentifier
@@ -243,7 +243,7 @@ Value | Description
**4.** | If present, Secure Memory Overwrite is needed.
**5.** | If present, NX protections are needed.
**6.** | If present, SMM mitigations are needed.
-**7.** | If present, Mode Based Execution Control is needed.
+**7.** | If present, MBEC/GMET is needed.
#### SecurityServicesConfigured
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 3594cd303d..0284f2bb14 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,6 +36,9 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system, and capture a user's password. The attacker can then sign in to the compromised account with whatever level of user rights that user has.
+> [!NOTE]
+> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well.
+
### Possible values
- Enabled
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index 126438d791..39c6bc3b10 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
+The **Log on as a batch job** user right presents a low-risk vulnerability that allows non-administrators to perform administrator-like functions. If not assessed, understood, and restricted accordingly, attackers can easily exploit this potential attack vector to compromise systems, credentials, and data. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index bdbf0e528d..0e0c392215 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -47,9 +47,13 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**.
-- Not defined
+- **Enable for domain servers**
- This is the same as **Disable** and results in no auditing of NTLM traffic.
+ The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
+
+- **Enable all**
+
+ The domain controller on which this policy is set will log all events for incoming NTLM traffic.
### Best practices
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index f53a1e1665..4c05d8bea2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -25,6 +25,10 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
+
+> [!NOTE]
+> For more information about configuring a server to be accessed remotely, see [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access).
+
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index a0a8270da7..7cbaa1f1fc 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -23,6 +23,7 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
+- Windows 11
This reference topic describes the common scenarios, architecture, and processes for security settings.
@@ -44,7 +45,7 @@ For more info about managing security configurations, see [Administer security p
The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
-- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
+- **Account Policies.** These policies are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
- **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
@@ -119,7 +120,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit
- **Local Security Authority (LSA)**
- A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
+ A protected subsystem that authenticates and logs on users to the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
- **Windows Management Instrumentation (WMI)**
@@ -296,7 +297,7 @@ Group Policy settings are processed in the following order:
1. **Domain.**
- Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
+ Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you specify.
1. **Organizational units.**
@@ -404,4 +405,4 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| - | - |
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
-| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
\ No newline at end of file
+| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index 07dfa8e8f7..c03c66e7fb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -38,7 +38,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagg
## Deploy AppId Tagging Policies with MDM
-Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId Tagging Policies with Configuration Manager
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 2f007e159d..a7d64bd225 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -73,13 +73,13 @@
href: windows-defender-application-control-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
- href: deploy-windows-defender-application-control-policies-using-intune.md
- - name: Deploy WDAC policies with MEMCM
+ href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+ - name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- - name: Deploy WDAC policies with Group Policy
- href: deploy-windows-defender-application-control-policies-using-group-policy.md
+ - name: Deploy WDAC policies with group policy
+ href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md
- name: Merge WDAC policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 5c09c86d2e..6921eeb8f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -40,12 +40,9 @@ The following table lists the default rules that are available for the DLL rule
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
-| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs|
-| BUILTIN\Administrators | Path: *|
-| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs |
-| Everyone | Path: %windir%\*|
-| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder|
-| Everyone | Path: %programfiles%\*|
+| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| BUILTIN\Administrators | Path: *|
+| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\*|
+| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| Everyone | Path: %programfiles%\*|
> [!IMPORTANT]
> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 811e3ab499..b96a2525dd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,9 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
+If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node.
+For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
## Editing an AppLocker policy by using Group Policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 48095da0ce..aee609a7fd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,26 +26,30 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic describes the file formats and available default rules for the script rule collection.
+
+This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
-- .ps1
-- .bat
-- .cmd
-- .vbs
-- .js
+- `.ps1`
+- `.bat`
+- `.cmd`
+- `.vbs`
+- `.js`
The following table lists the default rules that are available for the script rule collection.
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
-| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
-| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
-| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` |
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
-## Related topics
+> [!NOTE]
+> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
+
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index b5aca1e44a..cd197228e8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -155,10 +155,10 @@ Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPo
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
-1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md)
+1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM)](deployment/deploy-windows-defender-application-control-policies-using-intune.md)
2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md)
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
-4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
+4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 37126d5855..010247f3ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -113,3 +113,10 @@ See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-c
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
+
+### Known Issues in Multiple Policy Format
+
+* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
+* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
+* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index b8f3362555..2efe41d1ae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -1,22 +1,19 @@
---
-title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)
-description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
-keywords: security, malware
+title: Deploy Windows Defender Application Control policies with Configuration Manager
+description: You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
ms.prod: m365-security
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: jogeurte
-ms.manager: jsuther
-manager: dansimp
-ms.date: 07/19/2021
ms.technology: windows-sec
-ms.topic: article
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: aaroncz
+ms.author: jogeurte
+manager: jsuther
+ms.date: 06/27/2022
+ms.topic: how-to
ms.localizationpriority: medium
---
-# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM)
+# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager
**Applies to:**
@@ -24,22 +21,70 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
-## Use MEMCM's built-in policies
+## Use Configuration Manager's built-in policies
-Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
+Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
- Windows components
- Microsoft Store apps
- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer)
-- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
-- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
+- (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG)
+- (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
-Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+
+### Create a WDAC Policy in Configuration Manager
+
+1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
+
+ 
+
+2. Enter the name of the policy > **Next**
+3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
+4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)
+5. Select **Next**
+
+ 
+
+6. Select **Add** to begin creating rules for trusted software
+
+ 
+
+7. Select **File** or **Folder** to create a path rule > **Browse**
+
+ 
+
+8. Select the executable or folder for your path rule > **OK**
+
+ 
+
+9. Select **OK** to add the rule to the table of trusted files or folder
+10. Select **Next** to navigate to the summary page > **Close**
+
+ 
+
+### Deploy the WDAC policy in Configuration Manager
+
+1. Right-click the newly created policy > **Deploy Application Control Policy**
+
+ 
+
+2. Select **Browse**
+
+ 
+
+3. Select the Device Collection you created earlier > **OK**
+
+ 
+
+4. Change the schedule > **OK**
+
+ 
For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
similarity index 86%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
index 23f551bee1..5fd44350ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 02/28/2018
+ms.date: 06/27/2022
ms.technology: windows-sec
---
@@ -22,14 +22,13 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+>
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
@@ -41,9 +40,9 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
> [!NOTE]
- > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
+ > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
- 
+ 
3. Name the new GPO. You can choose any name.
@@ -51,7 +50,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
- 
+ 
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
@@ -60,7 +59,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
- 
+ 
> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
similarity index 91%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index 143fbdcc2e..200bac9e6a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 04/29/2020
+ms.date: 06/27/2022
ms.technology: windows-sec
---
@@ -22,12 +22,12 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
@@ -51,7 +51,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
## Deploy WDAC policies with custom OMA-URI
> [!NOTE]
-> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
+> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
### Deploy custom WDAC policies on Windows 10 1903+
@@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
- > 
+ > 
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index bfdae01ad9..e96c186076 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -9,7 +9,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 05/09/2022
+ms.date: 06/27/2022
ms.topic: reference
---
@@ -53,6 +53,9 @@ A Windows Defender Application Control policy logs events locally in Windows Eve
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
+> [!NOTE]
+> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs.
+
Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
| Event ID | Explanation |
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index d51eeb7f4d..4edab9bde3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -1,40 +1,35 @@
---
-title: Windows Defender Application Control Feature Availability
+title: Windows Defender Application Control feature availability
description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: denisebmsft
-ms.reviewer: jgeurten
-ms.author: deniseb
-manager: dansimp
-ms.date: 05/09/2022
-ms.custom: asr
ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: aaroncz
+ms.author: jogeurte
+manager: jsuther
+ms.date: 06/27/2022
+ms.custom: asr
+ms.topic: overview
---
# Windows Defender Application Control and AppLocker feature availability
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
| Capability | Windows Defender Application Control | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds. For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices. Policies deployed through MDM are effective on all SKUs. |
-| Management solutions |
[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
[Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
[Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)
|
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg
new file mode 100644
index 0000000000..3b06ba7568
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg
new file mode 100644
index 0000000000..6e454dc47b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg
new file mode 100644
index 0000000000..22d7cdd6d3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg
new file mode 100644
index 0000000000..f7de3317e4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg
new file mode 100644
index 0000000000..f2d19714d5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg
new file mode 100644
index 0000000000..699776d0a6
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg
new file mode 100644
index 0000000000..3149ccca4f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg
new file mode 100644
index 0000000000..178c8bc87a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg
new file mode 100644
index 0000000000..917b78e14a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg
new file mode 100644
index 0000000000..03db06521a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
index 2f70a0b792..b39d1f45b2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -99,13 +99,13 @@ landingContent:
- linkListType: tutorial
links:
- text: Deployment with MDM
- url: deploy-windows-defender-application-control-policies-using-intune.md
- - text: Deployment with MEMCM
+ url: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+ - text: Deployment with Configuration Manager
url: deployment/deploy-wdac-policies-with-memcm.md
- text: Deployment with script and refresh policy
url: deployment/deploy-wdac-policies-with-script.md
- - text: Deployment with Group Policy
- url: deploy-windows-defender-application-control-policies-using-group-policy.md
+ - text: Deployment with group policy
+ url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
# Card
- title: Learn how to monitor WDAC events
linkLists:
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0fbd505f00..ddc280cfb4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
+
+
+ -->
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 611a90b62b..dfddeebe3f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
-ms.date: 04/14/2021
+ms.date: 07/01/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@@ -25,19 +25,23 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic covers tips and tricks for admins as well as known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
+This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
+
+## Managed Installer and ISG will cause garrulous events
+
+When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
## .NET native images may generate false positive block events
-In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
+In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
## MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
-For example, this command will not work:
+For example, this command won't work:
```console
msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 7eef03213f..1b68313de8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 01/26/2022
+ms.date: 06/28/2022
ms.technology: windows-sec
---
@@ -26,8 +26,8 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
@@ -88,7 +88,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
@@ -146,6 +146,10 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
+
+The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files.
+
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 10168b1379..af2a34ff3e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/03/2018
+ms.date: 06/27/2022
ms.technology: windows-sec
---
@@ -48,6 +48,9 @@ To sign a Windows Defender Application Control policy with SignTool.exe, you nee
> [!NOTE]
> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652)
+>
+>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
+
If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
@@ -105,7 +108,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
-> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
\ No newline at end of file
+> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 19f39c1525..b00d8dca38 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/23/2021
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -24,7 +24,8 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
-When the Dynamic Code Security option is enabled, Windows Defender Application Control policy is applied to libraries that .NET loads from external sources.
+When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
+
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries.
@@ -39,4 +40,4 @@ To enable Dynamic Code Security, add the following option to the `` secti
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 4e1abd6929..09428ad8d5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -129,5 +129,5 @@ Packaged apps are not supported with the Microsoft Intelligent Security Graph he
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
->[!NOTE]
-> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+> [!NOTE]
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index d87ee2f357..b47cdb1c99 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -1,21 +1,16 @@
---
-title: Deploying Windows Defender Application Control (WDAC) policies (Windows)
+title: Deploying Windows Defender Application Control (WDAC) policies
description: Learn how to plan and implement a WDAC deployment.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: dansimp
-manager: dansimp
-ms.date: 05/16/2018
ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: aaroncz
+ms.author: jogeurte
+manager: jsuther
+ms.date: 06/27/2022
+ms.topic: overview
---
# Deploying Windows Defender Application Control (WDAC) policies
@@ -41,7 +36,7 @@ All Windows Defender Application Control policy changes should be deployed in au
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
-1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
-2. [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
-3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
-4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
+- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
+- [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
+- [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
+- [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index ad4e1359c3..9ecf89d162 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -48,7 +48,7 @@ The blocking filters can be categorized under these filter origins:
g. Windows Service Hardening (WSH) default
-The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release.
+The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases.
## Improved firewall audit
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 94adc3d7c8..6f3d9838b0 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -112,7 +112,7 @@ An array of folders, each representing a location on the host machine that will
### Logon command
-Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
+Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an administrator account.
```xml