From 3e2f3642d6f8169153ca20d3ca0083a5efd805d3 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 25 Apr 2024 20:00:49 +0300
Subject: [PATCH 1/4] Removed notice about not using UTF-8 encoding

The UTF-8 encoding can totally be used for certificate subject names when deploying a signed WDAC policy and no problem such as boot failures occurs as a result of that.

I've tested this for long periods of time and continue to use it daily.
---
 .../use-signed-policies-to-protect-wdac-against-tampering.md     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
index 72139cebfa..91903fcb90 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md
@@ -21,7 +21,6 @@ If you don't currently have a code signing certificate you can use to sign your
 > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
 > - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
 > - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
-> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
 
 Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](../design/select-types-of-rules-to-create.md).
 

From db28c23156d657589f9631cd813635a6ce2488dd Mon Sep 17 00:00:00 2001
From: alysha-h <134006842+alysha-h@users.noreply.github.com>
Date: Wed, 8 May 2024 10:57:08 -0700
Subject: [PATCH 2/4] Update windows-autopatch-faq.yml

Update broken anchors. The anchor for pausing quality updates is #pause-and-resume-a-release (https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview#pause-and-resume-a-release), not pausing-and-resuming-a-release. The content for pause/resume feature updates has moved to a different page (https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release#pause-and-resume-a-release) with a different anchor.
---
 .../windows-autopatch/overview/windows-autopatch-faq.yml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 365c39fc3b..4081f4c8e6 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -95,11 +95,11 @@ sections:
       - question: What happens if there's an issue with an update?
         answer: |
           Autopatch relies on the following capabilities to help resolve update issues:
-          - Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
+          - Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release).
           - Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls).
       - question: Can I permanently pause a Windows feature update deployment?
         answer: |
-          Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release).
+          Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release).
       - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates?
         answer: |
           For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring.

From 83e830b6642baddfe5cd2f97ca26b09f6b3e5c59 Mon Sep 17 00:00:00 2001
From: Tahlon Brahic <104690672+TahlonBrahic@users.noreply.github.com>
Date: Tue, 14 May 2024 22:20:01 -0500
Subject: [PATCH 3/4] Update cloud-services-protect-your-work-information.md

Change 'industrystandard' to 'industry standard'
---
 .../book/cloud-services-protect-your-work-information.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index f60f7c0f9a..789ac396b8 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -42,7 +42,7 @@ Every Windows device has a built-in local administrator account that must be sec
 
 ## Modern device management through (MDM)
 
-Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industrystandard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
+Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
 
 Windows 11 built-in management features include:
 

From 5de76c4148a1760ab8a290079a14d3106901c7e6 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 16 May 2024 12:50:06 +0300
Subject: [PATCH 4/4] The Unsigned policy rule option is valid for Supplemental
 types

---
 .../design/select-types-of-rules-to-create.md                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index 961a1e4dc4..46200516f4 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -34,7 +34,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
 | **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
 | **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
-| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | No |
+| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes |
 | **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
 | **8 Required:EV Signers** | This option isn't currently supported. | No |
 | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |