Fix merge conflct

.openpublishing.redirection.json

@@ -21469,6 +21469,41 @@
       "source_path": "windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md",
       "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/user-account-control/how-user-account-control-works.md",
+      "redirect_url": "/windows/security/application-security/application-control/user-account-control/how-it-works",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md",
+      "redirect_url": "/windows/security/application-security/application-control/user-account-control/settings-and-configuration",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md",
+      "redirect_url": "/windows/security/application-security/application-control/user-account-control/settings-and-configuration",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/user-account-control/user-account-control-overview.md",
+      "redirect_url": "/windows/security/application-security/application-control/user-account-control",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/configure-s-mime.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/configure-s-mime",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/apps.md",
+      "redirect_url": "/windows/security/application-security",
+      "redirect_document_id": false
     }
   ]
 }

education/docfx.json

@@ -65,7 +65,8 @@
         "v-dihans",
         "garycentric",
         "v-stsavell",
-        "beccarobins"
+        "beccarobins",
+        "v-stchambers"
       ]
     },
     "fileMetadata": {

images/group-policy.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
+</svg>

images/information.svg

@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M8 7C8.27614 7 8.5 7.22386 8.5 7.5V10.5C8.5 10.7761 8.27614 11 8 11C7.72386 11 7.5 10.7761 7.5 10.5V7.5C7.5 7.22386 7.72386 7 8 7ZM8.00001 6.24907C8.41369 6.24907 8.74905 5.91371 8.74905 5.50003C8.74905 5.08635 8.41369 4.751 8.00001 4.751C7.58633 4.751 7.25098 5.08635 7.25098 5.50003C7.25098 5.91371 7.58633 6.24907 8.00001 6.24907ZM2 8C2 4.68629 4.68629 2 8 2C11.3137 2 14 4.68629 14 8C14 11.3137 11.3137 14 8 14C4.68629 14 2 11.3137 2 8ZM8 3C5.23858 3 3 5.23858 3 8C3 10.7614 5.23858 13 8 13C10.7614 13 13 10.7614 13 8C13 5.23858 10.7614 3 8 3Z" fill="#0078D4" />
+</svg>

images/intune.svg

@@ -0,0 +1,24 @@
+<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0078d4" />
+      <stop offset="0.82" stop-color="#5ea0ef" />
+    </linearGradient>
+    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#1490df" />
+      <stop offset="0.98" stop-color="#1f56a3" />
+    </linearGradient>
+    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#d2ebff" />
+      <stop offset="1" stop-color="#f0fffd" />
+    </linearGradient>
+  </defs>
+  <title>Icon-intune-329</title>
+  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
+  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
+  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
+  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
+  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
+  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
+  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
+</svg>

images/windows-os.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
+  <path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
+</svg>

windows/security/application-security/application-control/toc.yml

@@ -2,13 +2,11 @@ items:
 - name: User Account Control (UAC)
   items:
   - name: Overview
-    href: ../../identity-protection/user-account-control/user-account-control-overview.md
-  - name: How User Account Control works
-    href: ../../identity-protection/user-account-control/how-user-account-control-works.md
-  - name: User Account Control security policy settings
-    href: ../../identity-protection/user-account-control/user-account-control-security-policy-settings.md
-  - name: User Account Control Group Policy and registry key settings
-    href: ../../identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+    href: user-account-control/index.md
+  - name: How UAC works
+    href: user-account-control/how-it-works.md
+  - name: UAC settings and configuration
+    href: user-account-control/settings-and-configuration.md
 - name: Windows Defender Application Control and virtualization-based protection of code integrity
   href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: Windows Defender Application Control

windows/security/application-security/application-control/user-account-control/how-it-works.md

@@ -0,0 +1,195 @@
+---
+title: How User Account Control works 
+description: Learn about User Account Control (UAC) components and how it interacts with the end users.
+ms.collection: 
+  - highpri
+  - tier2
+ms.topic: conceptual
+ms.date: 05/24/2023
+---
+
+# How User Account Control works
+
+User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges. This article describes how UAC works and how it interacts with the end-users.
+
+## UAC process and interactions
+
+With UAC, each application that requires the *administrator access token* must prompt the end user for consent. The only exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same *integrity level*.
+
+Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
+
+- A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
+- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
+
+Applications with lower integrity levels can't modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provides valid administrator credentials.
+
+To better understand how this process works, let's take a closer look at the Windows sign in process.
+
+## Sign in process
+
+The following diagram shows how the sign in process for an administrator differs from the sign in process for a standard user.
+
+:::image type="content" source="images/uac-windows-logon-process.gif" alt-text="Diagram that describes the UAC Windows logon process.":::
+
+By default, both standard and administrator users access resources and execute apps in the security context of a standard user.\
+When a user signs in, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
+
+When an administrator logs on, two separate access tokens are created for the user: a *standard user access token* and an *administrator access token*. The standard user access token:
+
+- Contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed
+- It's used to start applications that don't perform administrative tasks (standard user apps)
+- It's used to display the desktop by executing the process *explorer.exe*. Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token
+
+A user that is a member of the Administrators group can sign in, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an *elevation prompt*, and its behavior can be configured via policy or registry.
+
+## The UAC user experience
+
+When UAC is enabled, the user experience for standard users is different from administrator users. The recommended and more secure method of running Windows, is to ensure your primary user account is a standard user. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account.
+
+The default, built-in UAC elevation component for standard users is the *credential prompt*.
+
+The alternative to running as a standard user is to run as an administrator in *Admin Approval Mode*. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval.
+
+The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the *consent prompt*.
+
+### The credential prompt
+
+The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**.
+
+:::image type="content" source="images/uac-credential-prompt.png" alt-text="Screenshot showing the UAC credential prompt.":::
+
+### The consent prompt
+
+The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token.
+
+  :::image type="content" source="images/uac-consent-prompt-admin.png" alt-text="Screenshot showing the UAC consent prompt.":::
+
+### UAC elevation prompts
+
+The UAC elevation prompts are color-coded to be app-specific, enabling for easier identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher:
+
+- Windows
+- Publisher verified (signed)
+- Publisher not verified (unsigned)
+
+The elevation prompt color-coding is as follows:
+
+- Gray background: The application is a Windows administrative app, such as a Control Panel item, or an application signed by a verified publisher
+  :::image type="content" source="images/uac-credential-prompt-signed.png" alt-text="Screenshot showing the UAC credential prompt with a signed executable.":::
+- Yellow background: the application is unsigned or signed but isn't trusted
+  :::image type="content" source="images/uac-credential-prompt-unsigned.png" alt-text="Screenshot showing the UAC consent prompt with an unsigned executable.":::
+
+### Shield icon
+
+Some Control Panel items, such as **Date and Time**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time** Control Panel item.
+
+:::image type="content" source="images/uac-shield-icon.png" alt-text="Screenshot showing the UAC Shield Icon in Date and Time Properties." border="false":::
+
+The shield icon on the **Change date and time...** button indicates that the process requires a full administrator access token.
+
+## Securing the elevation prompt
+
+The elevation process is further secured by directing the prompt to the *secure desktop*. The consent and credential prompts are displayed on the secure desktop by default. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
+
+When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.
+
+Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
+
+While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.
+
+## UAC Architecture
+
+The following diagram details the UAC architecture.
+
+:::image type="content" source="images/uac-architecture.gif" alt-text="Diagram that describes the UAC architecture.":::
+
+To better understand each component, review the following tables:
+
+### User
+
+|Component|Description|
+|--- |--- |
+|<p>User performs operation requiring privilege|<p>If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
+|<p>ShellExecute|<p>ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
+|<p>CreateProcess|<p>If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
+
+### System
+
+|Component|Description|
+|--- |--- |
+|<p>Application Information service|<p>A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user may give consent.|
+|<p>Elevating an ActiveX install|<p>If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
+|<p>Check UAC slider level|<p>UAC has a slider to select from four levels of notification.<ul><li><p>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you often install new software or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li><p>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended due to security concerns.|
+|<p>Secure desktop enabled|<p>The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li><p>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li><p>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
+|<p>CreateProcess|<p>CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
+|<p>AppCompat|<p>The AppCompat database stores information in the application compatibility fix entries for an application.|
+|<p>Fusion|<p>The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
+|<p>Installer detection|<p>Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
+
+### Kernel
+
+|Component|Description|
+|--- |--- |
+|<p>Virtualization|<p>Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
+|<p>File system and registry|<p>The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
+ 
+The slider never turns off UAC completely. If you set it to **Never notify**, it will:
+
+- Keep the UAC service running
+- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt
+- Automatically deny all elevation requests for standard users
+
+> [!IMPORTANT]
+> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+
+> [!WARNING]
+> Some Universal Windows Platform apps may not work when UAC is disabled.
+
+### Virtualization
+
+Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you don't need to replace most apps when UAC is turned on.
+
+Windows includes file and registry virtualization technology for apps that aren't UAC-compliant and that requires an administrator's access token to run correctly. When an administrative app that isn't UAC-compliant attempts to write to a protected folder, such as *Program Files*, UAC gives the app its own virtualized view of the resource it's attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the noncompliant app.
+
+Most app tasks operate properly by using virtualization features. Although virtualization allows most applications to run, it's a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
+
+Virtualization isn't an option in the following scenarios:
+
+- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
+- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
+- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
+
+### Request execution levels
+
+An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that aren't UAC-compliant to work properly.
+
+All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, marking the app with a requested execution level of *require administrator* ensures that the system identifies this program as an administrative app, and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
+
+### Installer detection technology
+
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users don't have sufficient access to install programs. Windows heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+
+Installer detection only applies to:
+
+- 32-bit executable files
+- Applications without a requested execution level attribute
+- Interactive processes running as a standard user with UAC enabled
+
+Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
+
+- The file name includes keywords such as "install," "setup," or "update."
+- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name
+- Keywords in the side-by-side manifest are embedded in the executable file
+- Keywords in specific StringTable entries are linked in the executable file
+- Key attributes in the resource script data are linked in the executable file
+- There are targeted sequences of bytes within the executable file
+
+> [!NOTE]
+> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+
+> [!NOTE]
+> The *User Account Control: Detect application installations and prompt for elevation* policy must be enabled for installer detection to detect installation programs. For more information, see [User Account Control settings list](settings-and-configuration.md#user-account-control-settings-list).
+
+## Next steps
+
+Learn more about [User Account Control settings and configuration](settings-and-configuration.md).

windows/security/application-security/application-control/user-account-control/index.md

@@ -0,0 +1,36 @@
+---
+title: User Account Control
+description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
+ms.collection: 
+  - highpri
+  - tier2
+ms.topic: conceptual
+ms.date: 05/24/2023
+---
+
+# User Account Control overview
+
+User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
+
+Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default, and you can configure it if you have administrative privileges.
+
+## Benefits of UAC
+
+UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.\
+Other applications, like ones that aren't designed with security settings in mind, may require more permissions to run successfully. These applications are referred to as *legacy apps*.
+
+When a user tries to perform an action that requires administrative privileges, UAC triggers a *consent prompt*. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:
+
+- If the user approves the change, the action is performed with the highest available privilege
+- If the user doesn't approve the change, the action isn't performed and the application that requested the change is prevented from running
+
+:::image type="content" source="images/uac-consent-prompt-admin.png" alt-text="Screenshot showing the UAC consent prompt.":::
+
+When an app requires to run with more than standard user rights, UAC allows users to run apps with their *administrator token* (that is, with administrative rights and permissions) instead of their default, standard user token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
+
+[!INCLUDE [user-account-control-uac](../../../../../includes/licensing/user-account-control-uac.md)]
+
+## Next steps
+
+- [How User Account Control works](how-it-works.md)
+- [User Account Control settings and configuration](settings-and-configuration.md)

windows/security/application-security/application-control/user-account-control/settings-and-configuration.md

@@ -0,0 +1,102 @@
+---
+title: User Account Control settings and configuration
+description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
+ms.date: 05/26/2023
+ms.topic: how-to
+---
+
+# User Account Control settings and configuration
+
+## User Account Control settings list
+
+The following table lists the available settings to configure the UAC behavior, and their default values.  
+
+|Setting name| Description|
+|-|-|
+|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.|
+|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
+|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
+|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
+|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
+|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
+|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
+|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
+|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
+|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
+
+## User Account Control configuration
+
+To configure UAC, you can use:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+The following instructions provide details how to configure your devices. Select the option that best suits your needs.
+
+
+#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Configure UAC with a Settings catalog policy
+
+To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Local Policies Security Options`**:
+
+:::image type="content" source="./images/uac-settings-catalog.png" alt-text="Screenshot that shows the UAC policies in the Intune settings catalog." lightbox="./images/uac-settings-catalog.png" border="True":::
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [LocalPoliciesSecurityOptions Policy CSP][WIN-1].\
+The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions`.
+
+|Setting|
+| - |
+| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
+| **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
+| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
+| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
+| **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
+| **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
+| **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
+| **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
+| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
+| **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
+
+#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy.
+
+The policy settings are located under: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`.
+
+| Group Policy setting |Default value|
+| - | - |
+|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
+|User Account Control: Admin Approval Mode for the built-in Administrator account|  Disabled |
+|User Account Control: Switch to the secure desktop when prompting for elevation |  Enabled |
+|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
+|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
+|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)<br />Disabled (default) |
+|User Account Control: Only elevate executables that are signed and validated| Disabled |
+|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
+|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
+|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
+
+#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.  
+
+| Setting name | Registry key name | Value |
+| - | - | - |
+| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
+| Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled<br>1 = Enabled |
+| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
+| Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting<br>1 = Prompt for credentials on the secure desktop<br>2 = Prompt for consent on the secure desktop<br>3 = Prompt for credentials<br>4 = Prompt for consent<br>5 (Default) = Prompt for consent for non-Windows binaries|
+| Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests<br>1 = Prompt for credentials on the secure desktop<br>3 (Default) = Prompt for credentials |
+| Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)<br>0 = Disabled (default) |
+| Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled<br>1 = Enabled |
+| Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled<br>1 (Default) = Enabled |
+| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
+| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled<br>1 (Default) = Enabled |
+
+[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[MEM-2]: /mem/intune/configuration/settings-catalog

windows/security/application-security/index.md

@@ -19,8 +19,6 @@ The following table summarizes the Windows security features and capabilities fo
 
 | Security Measures | Features & Capabilities |
 |:---|:---|
-| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) |
-| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
-| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) |
-| Email Security |  With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) |
-| Microsoft Defender SmartScreen |  Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen) |
+| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](../threat-protection/windows-defender-application-control/windows-defender-application-control.md) |
+| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
+| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) |

windows/security/application-security/toc.yml

@@ -1,6 +1,6 @@
 items:
 - name: Overview
-  href: ../apps.md
+  href: index.md
 - name: Application Control
   href: application-control/toc.yml
 - name: Application Isolation

windows/security/cloud-security/toc.yml

@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: ../cloud.md
 - name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
   href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗

windows/security/cloud.md

@@ -1,33 +0,0 @@
----
-title: Windows and cloud security
-description: Get an overview of cloud services supported in Windows 11 and Windows 10
-ms.reviewer: 
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/20/2021
-ms.localizationpriority: medium
-ms.custom: 
-search.appverid: MET150
-ms.prod: windows-client
-ms.technology: itpro-security
----
-
-# Windows and cloud security
-
-Today's workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats.
-
-Windows 11 includes the cloud services that are listed in the following table:<br/><br/>
-
-| Service type | Description |
-|:---|:---|
-| Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.<br/><br/>Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.<br/><br/>To learn more, see [Mobile device management](/windows/client-management/mdm/). |
-| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).|
-| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data. <br/><br/>The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4). <br/><br/>If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
-| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.<br/><br/>With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.<br/><br/>To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
-
-## Next steps
-
-- [Learn more about MDM and Windows 11](/windows/client-management/mdm/)
-- [Learn more about Windows security](index.yml)

windows/security/docfx.json

@@ -53,6 +53,7 @@
           "folder_relative_path_in_docset": "./"
         }
       },
+      "titleSuffix": "Windows Security",
       "contributors_to_exclude": [
         "rjagiewich",
         "traya1",
@@ -71,13 +72,15 @@
       ]
     },
     "fileMetadata": {
-      "author": {
+      "author":{
+        "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
         "application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
         "identity-protection/**/*.md": "paolomatarazzo",
         "operating-system-security/network-security/**/*.md": "paolomatarazzo",
         "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms"
       },
-      "ms.author": {
+      "ms.author":{
+        "application-security/application-control/user-account-control/*.md": "paoloma",
         "application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
         "identity-protection/**/*.md": "paoloma",
         "operating-system-security/network-security/**/*.md": "paoloma",

windows/security/identity-protection/configure-s-mime.md

@@ -1,83 +0,0 @@
----
-title: Configure S/MIME for Windows
-description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.topic: article
-ms.date: 07/27/2017
----
-
-
-# Configure S/MIME for Windows
-
-S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
-
-## About message encryption
-
-Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
-
-Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email.
-
-## About digital signatures
-
-A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
-
-[!INCLUDE [email-encryption-smime](../../../includes/licensing/email-encryption-smime.md)]
-
-## Prerequisites
-
--   [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
--   Valid Personal Information Exchange (PFX) certificates are installed on the device.
-
-    -   [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
-    -   [Enable access to company resources using certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-configure)
-
-## Choose S/MIME settings
-
-On the device, perform the following steps: (add select certificate)
-
-1.  Open the Mail app.
-
-2.  Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
-
-    :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
-
-3.  Tap **Email security**.
-
-    :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
-
-4.  In **Select an account**, select the account for which you want to configure S/MIME options.
-
-5.  Make a certificate selection for digital signature and encryption.
-
-    -   Select **Automatically** to let the app choose the certificate.
-    -   Select **Manually** to specify the certificate yourself from the list of valid certificates on the device.
-6.  (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages.
-
-    > [!NOTE]
-    > The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
-     
-7.  Tap the back arrow.
-
-## Encrypt or sign individual messages
-
-1.  While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the ellipsis (...).
-
-2.  Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
-
-    :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
-
-## Read signed or encrypted messages
-
-When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
-
-## Install certificates from a received message
-
-When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
-
-1.  Open a signed email.
-
-2.  Tap or click the digital signature icon in the reading pane.
-
-3.  Tap **Install.**
-
-    :::image type="content" alt-text="message security information." source="images/installcert.png":::
- 

windows/security/identity-protection/enterprise-certificate-pinning.md

@@ -1,24 +1,24 @@
 ---
-title: Enterprise Certificate Pinning
-description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
+title: Enterprise certificate pinning
+description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
 ms.topic: conceptual
-ms.date: 07/27/2017
+ms.date: 05/24/2023
 ---
 
-# Enterprise Certificate Pinning
+# Enterprise certificate pinning overview
 
-Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name. 
-Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+Enterprise certificate pinning is a Windows feature for remembering (pinning), a root issuing certificate authority, or end-entity certificate, to a domain name.\
+The feature helps to reduce man-in-the-middle attacks by protecting internal domain names from chaining to unwanted or fraudulently issued certificates.
 
 > [!NOTE]
 > External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
 
-Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates. 
-These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. 
-Any site certificate that triggers a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+Windows Certificate APIs (*CertVerifyCertificateChainPolicy* and *WinVerifyTrust*) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates.\
+The restrictions are encapsulated in a *Pin Rules Certificate Trust List (CTL)* that is configured and deployed to Windows devices.\
+Any site certificates that trigger a name mismatch causes Windows to write an event to the *CAPI2 event log*, and prevents the user from browsing the web site.
 
 > [!NOTE]
-> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection.
+> Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge to block the connection.
 
 ## Deployment
 
@@ -27,14 +27,14 @@ To deploy enterprise certificate pinning, you need to:
 - Create a well-formatted certificate pinning rule XML file
 - Create a pin rules certificate trust list file from the XML file
 - Apply the pin rules certificate trust list file to a reference administrative computer
-- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+- Deploy the registry configuration on the reference computer via group policy
 
-### Create a Pin Rules XML file  
+### Create a pin rules XML file  
 
-The XML-based pin rules file consists of a sequence of PinRule elements. 
+The XML-based pin rules file consists of a sequence of PinRule elements.
 Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
 
-```code
+```xml
 <PinRules ListIdentifier="PinRulesExample" Duration="P28D">
 
   <PinRule Name="AllCertificateAttributes" Error="None" Log="true">
@@ -58,28 +58,28 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ
 </PinRules>
 ```
 
-#### PinRules Element
+#### PinRules element
 
-The PinRules element can have the following attributes. 
-For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). 
+The PinRules element can have the following attributes.
+For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml) or [Represent a duration in XML](#represent-a-duration-in-xml). 
 
 | Attribute | Description | Required |
 |-----------|-------------|----------|
-|  **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified. <br>  **Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC.  | **Required?** Yes. At least one is required. |
+|  **Duration** or **NextUpdate** | Specifies when the Pin Rules expires. Either is required. **NextUpdate** takes precedence if both are specified. <br>  **Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC.  | **Required?** Yes. At least one is required. |
 | **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. <br>  **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. <br>  You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months. <br>  If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | 
 | **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. |
 
-#### PinRule Element    
+#### PinRule element
 
-The **PinRule** element can have the following attributes. 
+The **PinRule** element can have the following attributes.
 
 | Attribute | Description | Required |
 |-----------|-------------|----------|
-| **Name**  | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.|
-| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values: <br>- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. <br>- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site. <br>- **None** - The default value.  No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. |
+| **Name**  | Uniquely identifies the **PinRule**. Windows uses the attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.|
+| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values: <br>- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. <br>- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site. <br>- **None** - The default value.  No error is returned. You can use the setting to audit the pin rules without introducing any user friction. | No. |
 | **Log** | A Boolean value represents a string that equals **true** or **false**. By default, logging is enabled (**true**). | No. |
 
-#### Certificate element 
+#### Certificate element
 
 The **Certificate** element can have the following attributes.
 
@@ -88,7 +88,7 @@ The **Certificate** element can have the following attributes.
 | **File**  | Path to a file containing one or more certificates.  Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br>- sst <br> These files can also be Base64 formatted.  All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
 | **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | 
 | **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br> - sst <br> This allows the certificates to be included in the XML file without a file directory dependency. <br> Note: <br> You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.  | Yes (File, Directory, or Base64 must be present). |
-| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.<br> If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
+| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.<br> If the current time is past the **EndDate**, when creating the certificate trust list (CTL) the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Represent a date in XML](#represent-a-date-in-xml).| No.|
 
 #### Site element
 
@@ -96,15 +96,15 @@ The **Site** element can have the following attributes.
 
 | Attribute | Description | Required |
 |-----------|-------------|----------|
-| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows: <br>- If the DNS name has a leading "*", it's removed. <br>- Non-ASCII DNS name is converted to ASCII Puny Code. <br>- Upper case ASCII characters are converted to lower case. <br>If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
+| **Domain** | Contains the DNS name to be matched for this pin rule. When you create the certificate trust list, the parser normalizes the input name string value as follows: <br>- If the DNS name has a leading "*", it's removed. <br>- Non-ASCII DNS name is converted to ASCII Puny Code. <br>- Upper case ASCII characters are converted to lower case. <br>If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
 | **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.<br>For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
 
-### Create a Pin Rules Certificate Trust List
+### Create a pin rules certificate trust list
 
-The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy. 
-The usage syntax is:
+The *Certutil.exe* command includes the *generatePinRulesCTL* argument. The argument parses the XML file and generates the encoded certificate trust list (CTL) that you add to your reference Windows device and then deploy.
+The syntax is:
 
-```code
+```cmd
 CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile]
   Generate Pin Rules CTL
     XMLFile -- input XML file to be parsed.
@@ -118,40 +118,42 @@ Options:
   -v                -- Verbose operation
 ```
 
-The same certificate(s) can occur in multiple **PinRule** elements. 
-The same domain can occur in multiple **PinRule** elements. 
-Certutil coalesces these in the resultant pin rules certificate trust list. 
+- The same certificate(s) can occur in multiple **PinRule** elements
+- The same domain can occur in multiple **PinRule** elements
+- Certutil coalesces these in the resultant pin rules certificate trust list
+- Certutil.exe doesn't strictly enforce the XML schema definition
 
-Certutil.exe doesn't strictly enforce the XML schema definition. 
-It does perform the following to enable other tools to add/consume their own specific elements and attributes:
+Certutil performs the following to enable other tools to add/consume their own specific elements and attributes:
 
-- Skips elements before and after the **PinRules** element.
-- Skips any element not matching **Certificate** or **Site** within the **PinRules** element.
-- Skips any attributes not matching the above names for each element type.
+- Skips elements before and after the **PinRules** element
+- Skips any element not matching **Certificate** or **Site** within the **PinRules** element
+- Skips any attributes not matching the above names for each element type
 
-Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules. 
+Use the *certutil* command with the *generatePinRulesCTL* argument along with your XML file that contains your certificate pinning rules.
 Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list.
 
-```code
+```cmd
 certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
 ```
 
-### Applying Certificate Pinning Rules to a Reference Computer
+### Apply certificate pinning rules to a reference computer
 
 Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. 
 To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT). 
 
-Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument. 
-The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules. 
-This secondary argument is **chain\PinRules**. 
-The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl). 
-You'll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example. 
-You need to perform this command from an elevated command prompt.
+Use *certutil.exe* to apply your certificate pinning rules to your reference computer using the *setreg* argument.\
+The *setreg* argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.\
+The secondary argument is *chain\PinRules*.\
+The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (`.stl`).\
+You pass the name of the file as the last argument. You must prefix the file name with the `@` symbol as in the following example:
 
-```code
+```cmd
 Certutil -setreg chain\PinRules @pinrules.stl 
 ```
 
+> [!NOTE]
+> You must execute the command from an elevated command prompt.
+
 Certutil writes the binary information to the following registration location:
 
 | Name | Value |
@@ -163,39 +165,39 @@ Certutil writes the binary information to the following registration location:
 
 ![Registry binary information.](images/enterprise-pinning-registry-binary-information.png)
 
-### Deploying Enterprise Pin Rule Settings using Group Policy
+### Deploy enterprise pin rule settings using group policy
 
-You've successfully created a certificate pinning rules XML file. 
-From the XML file you've created a certificate pinning trust list file, and you've applied the contents of that file to your reference computer from which you can run the Group Policy Management Console. 
-Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
+From the XML file, you've created a certificate pinning trust list file. Then, you've applied the content of the file to your reference device from which you can run the Group Policy Management Console.
+
+The next step consists of configuring a group policy object that includes the applied certificate pin rule settings, and deploy it in your environment.
 
 Sign-in to the reference computer using domain administrator equivalent credentials.
 
-1.  Start the **Group Policy Management Console** (gpmc.msc)
-2.  In the navigation pane, expand the forest node and then expand the domain node.
-3.  Expand the node that contains your Active Directory's domain name
-4.  Select the **Group Policy objects** node.  Right-click the **Group Policy objects** node and click **New**.
-5.  In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
-6.  In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
-7.  In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
-8.  Right-click the **Registry** node and click **New**.
-9.  In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
-10. For the **Key Path**, click **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the forest node and then expand the domain node
+1. Expand the node that contains your Active Directory's domain name
+1. Select the **Group Policy objects** node.  Right-click the **Group Policy objects** node and select **New**
+1. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and select **OK**
+1. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and select **Edit**
+1. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**
+1. Right-click the **Registry** node and select **New**
+1. In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list
+1. For the **Key Path**, select **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
 
-    HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config  
+  `HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config`
 
-    Click **Select** to close the **Registry Item Browser**.
+  Select **Select** to close the **Registry Item Browser**
 
-11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
+1. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Select **OK** to save your settings and close the dialog box
 
-    ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png)
+  ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png)
 
-12. Close the **Group Policy Management Editor** to save your settings.
-13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+1. Close the **Group Policy Management Editor** to save your settings
+1. Link the **Enterprise Certificate Pinning Rules** GPO to the OU containing the devices that you want to configure
 
-## Additional Pin Rules Logging
+## Additional pin rules logging
 
-To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
+To help constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
 
 | Name | Value |
 |------|-------|
@@ -204,12 +206,12 @@ To assist in constructing certificate pinning rules, you can configure the **Pin
 | Value | The Parent directory where Windows should write the additional pin rule logs |
 | Data type | REG_SZ |
 
-### Permission for the Pin Rule Log Folder
+### Permission for the pin rule log folder
 
-The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access. 
-You can run the following commands from an elevated command prompt to achieve the proper permissions. 
+The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access.
+You can run the following commands from an elevated command prompt to achieve the proper permissions.
 
-```code
+```cmd
 set PinRulesLogDir=c:\PinRulesLog
 mkdir %PinRulesLogDir%
 icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
@@ -218,64 +220,61 @@ icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
 icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
 ```
 
-Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
+When an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
 
-- AdminPinRules
-    Matched a site in the enterprise certificate pinning rules.
-- AutoUpdatePinRules
-    Matched a site in the certificate pinning rules managed by Microsoft.
-- NoPinRules
-    Didn't match any site in the certificate pin rules.
+- `AdminPinRules`: Matched a site in the enterprise certificate pinning rules
+- `AutoUpdatePinRules`: Matched a site in the certificate pinning rules managed by Microsoft
+- `NoPinRules`: Didn't match any site in the certificate pin rules
 
-The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name. 
+The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name.
 For example:
 
 - `D4DE20D0_xsi.outlook.com.p7b`
 - `DE28F4A4_www.yammer.com.p7b`
 
-If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. 
+If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder.
 If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. 
 
-## Representing a Date in XML
+## Represent a date in XML
 
-Many attributes within the pin rules xml file are dates.  
-These dates must be properly formatted and represented in UTC.  
-You can use Windows PowerShell to format these dates.  
-You can then copy and paste the output of the cmdlet into the XML file. 
+Many attributes within the pin rules xml file are dates.\
+These dates must be properly formatted and represented in UTC.\
+You can use Windows PowerShell to format these dates.\
+You can then copy and paste the output of the cmdlet into the XML file.
 
 ![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png)
 
 For simplicity, you can truncate decimal point (.) and the numbers after it. 
 However, be certain to append the uppercase "Z" to the end of the XML date string.
 
-```code
+```cmd
 2015-05-11T07:00:00.2655691Z
 2015-05-11T07:00:00Z
 ```
 
-## Converting an XML Date
+## Convert an XML date
 
 You can also use Windows PowerShell to validate and convert an XML date into a human readable date to validate it's the correct date.
 
 ![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png)
 
-## Representing a Duration in XML
+## Represent a duration in XML
 
-Some elements may be configured to use a duration rather than a date. 
-You must represent the duration as an XML timespan data type. 
+Some elements may be configured to use a duration rather than a date.
+You must represent the duration as an XML timespan data type.
 You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
 
 ![Representing a duration.](images/enterprise-certificate-pinning-representing-a-duration.png)
 
-## Converting an XML Duration
+## Convert an XML duration
 
 You can convert an XML formatted timespan into a timespan variable that you can read. 
 
 ![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png)
 
-## Certificate Trust List XML Schema Definition (XSD)
+## Certificate trust list XML schema definition (XSD)
 
-```code
+```xml
 <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <xs:element name="PinRules">
     <xs:complexType>
@@ -329,12 +328,3 @@ You can convert an XML formatted timespan into a timespan variable that you can
   </xs:element>
 </xs:schema>
 ```
-
-
-
-
-
-
-
-
-

windows/security/identity-protection/index.md

@@ -2,7 +2,7 @@
 title: Identity and access management
 description: Learn more about identity and access protection technologies in Windows.
 ms.topic: article
-ms.date: 02/05/2018
+ms.date: 05/31/2023
 ---
 
 # Identity and access management
@@ -13,15 +13,14 @@ Learn more about identity and access management technologies in Windows.
 
 | Section | Description |
 |-|-|
-| [Local Administrator Password Solution](/defender-for-identity/cas-isp-laps) | Local Administrator Password Solution (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Azure Active Directory (Azure AD) and protected by an access control list (ACL), so only eligible users can read them or request a reset. 
+| [Windows Hello for Business](hello-for-business/index.yml) | Windows Hello replaces passwords with strong two-factor authentication on client devices. The authentication consists of a type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.
 | [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
 | [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
-| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
-| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to the secrets can lead to credential theft attacks, such as *pass the hash* or *pass the ticket*. Credential Guard helps prevent such attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
 | [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
-| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
-| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
-| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
-| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on client devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
-| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
+| [User Account Control](../application-security/application-control/user-account-control/index.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references articles about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
+| [Windows Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows. |
+| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
+| Microsoft Defender SmartScreen |  Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |

windows/security/identity-protection/toc.yml

@@ -22,28 +22,28 @@ items:
       displayName: VSC
     - name: Enterprise Certificate Pinning
       href: enterprise-certificate-pinning.md
+  - name: Account Lockout Policy 🔗
+    href: ../threat-protection/security-policy-settings/account-lockout-policy.md
+  - name: Technical support policy for lost or forgotten passwords
+    href: password-support-policy.md
+  - name: Windows LAPS (Local Administrator Password Solution) 🔗
+    displayName: LAPS
+    href: /windows-server/identity/laps/laps-overview
+  - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+    href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+    displayName: EPP
+  - name: Access Control
+    items:
+    - name: Overview
+      href: access-control/access-control.md
+      displayName: ACL
+    - name: Local Accounts
+      href: access-control/local-accounts.md
+  - name: Security policy settings 🔗
+    href: ../threat-protection/security-policy-settings/security-policy-settings.md
   - name: Advanced credential protection
     items:
-    - name: Account Lockout Policy 🔗
-      href: ../threat-protection/security-policy-settings/account-lockout-policy.md
-    - name: Technical support policy for lost or forgotten passwords
-      href: password-support-policy.md
-    - name: Windows LAPS (Local Administrator Password Solution) 🔗
-      displayName: LAPS
-      href: /windows-server/identity/laps/laps-overview
-    - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
-      href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
-      displayName: EPP
-    - name: Access Control
-      items:
-      - name: Overview
-        href: access-control/access-control.md
-        displayName: ACL
-      - name: Local Accounts
-        href: access-control/local-accounts.md
-    - name: Security policy settings 🔗
-      href: ../threat-protection/security-policy-settings/security-policy-settings.md
     - name: Windows Defender Credential Guard
       href: credential-guard/toc.yml
-  - name: Windows Defender Remote Credential Guard
-    href: remote-credential-guard.md
+    - name: Windows Defender Remote Credential Guard
+      href: remote-credential-guard.md

windows/security/identity-protection/user-account-control/how-user-account-control-works.md

@@ -1,179 +0,0 @@
----
-title: How User Account Control works 
-description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.collection: 
-  - highpri
-  - tier2
-ms.topic: article
-ms.date: 09/23/2021
----
-
-# How User Account Control works
-
-User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-
-## UAC process and interactions
-
-Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
-
-To better understand how this process happens, let's look at the Windows logon process.
-
-### Logon process
-
-The following shows how the logon process for an administrator differs from the logon process for a standard user.
-
-![uac windows logon process.](images/uacwindowslogonprocess.gif)
-
-By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
-
-When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
-
-A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
-
-### The UAC User Experience
-
-When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows, is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
-
-The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
-
-**The consent and credential prompts**
-
-With UAC enabled, Windows prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
-
-**The consent prompt**
-
-The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-
-:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
-
-**The credential prompt**
-
-The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**.
-
-The following is an example of the UAC credential prompt.
-
-:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
-
-**UAC elevation prompts**
-
-The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
-
-The elevation prompt color-coding is as follows:
-
-- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
-- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
-- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
-- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
-
-**Shield icon**
-
-Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time Properties** Control Panel item.
-
-:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
-
-The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
-
-**Securing the elevation prompt**
-
-The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
-
-When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
-
-Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware does not gain elevation if the user clicks **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
-
-While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy.
-
-## UAC Architecture
-
-The following diagram details the UAC architecture.
-
-![uac architecture.](images/uacarchitecture.gif)
-
-To better understand each component, review the table below:
-
-### User
-
-|Component|Description|
-|--- |--- |
-|<p>User performs operation requiring privilege|<p>If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
-|<p>ShellExecute|<p>ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
-|<p>CreateProcess|<p>If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
-
-### System
-
-|Component|Description|
-|--- |--- |
-|<p>Application Information service|<p>A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.|
-|<p>Elevating an ActiveX install|<p>If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
-|<p>Check UAC slider level|<p>UAC has a slider to select from four levels of notification.<ul><li><p>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you often install new software or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you do not often install apps or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li><p>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended due to security concerns.|
-|<p>Secure desktop enabled|<p>The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li><p>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li><p>If the secure desktop is not enabled, all elevation requests go to the interactive user&#39;s desktop, and the per-user settings for administrators and standard users are used.|
-|<p>CreateProcess|<p>CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
-|<p>AppCompat|<p>The AppCompat database stores information in the application compatibility fix entries for an application.|
-|<p>Fusion|<p>The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
-|<p>Installer detection|<p>Installer detection detects setup files, which helps prevent installations from being run without the user&#39;s knowledge and consent.|
-
-### Kernel
-
-|Component|Description|
-|--- |--- |
-|<p>Virtualization|<p>Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
-|<p>File system and registry|<p>The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
- 
-The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
-
-- Keep the UAC service running.
-- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
-- Automatically deny all elevation requests for standard users.
-
-> [!IMPORTANT]
-> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
-
-> [!WARNING]
-> Some Universal Windows Platform apps may not work when UAC is disabled.
- 
-### Virtualization
-
-Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
-
-Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
-
-Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
-
-Virtualization is not an option in the following scenarios:
-
-- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
-
-- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
-
-- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
-
-### Request execution levels
-
-An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that are not UAC-compliant to work properly.
-
-All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, then marking the app with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative app and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
-
-### Installer detection technology
-
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
-
-Installer detection only applies to:
-
-- 32-bit executable files.
-- Applications without a requested execution level attribute.
-- Interactive processes running as a standard user with UAC enabled.
-
-Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
-
-- The file name includes keywords such as "install," "setup," or "update."
-- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
-- Keywords in the side-by-side manifest are embedded in the executable file.
-- Keywords in specific StringTable entries are linked in the executable file.
-- Key attributes in the resource script data are linked in the executable file.
-- There are targeted sequences of bytes within the executable file.
-
-> [!NOTE]
-> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
-
-> [!NOTE]
-> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).

windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md

@@ -1,191 +0,0 @@
----
-title: User Account Control Group Policy and registry key settings 
-description: Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC.
-ms.collection: 
-  - highpri
-  - tier2
-ms.topic: article
-ms.date: 04/19/2017
----
-
-# User Account Control Group Policy and registry key settings
-## Group Policy settings
-There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
-
-
-| Group Policy setting | Registry key | Default |
-| - | - | - | - |
-| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
-| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
-| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
-| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials |
-| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)<br />Disabled (default for enterprise) |
-| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
-| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
-| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
-| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
-| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
-
-### User Account Control: Admin Approval Mode for the built-in Administrator account
-
-The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
-
-The options are:
-
--   **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
--   **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-
-### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
-
-The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-
-The options are:
-
--   **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
--   **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
-
-UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
-
-UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
-
--   ...\\Program Files, including subfolders
--   ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
--   ...\\Windows\\System32
-
-The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
-
-While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
-
-If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
-
-If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
-
-This policy setting does not change the behavior of the UAC elevation prompt for administrators.
-
-If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
-
-
-### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
-The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators.
-
-The options are:
-
--   **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
-
-    **Note** Use this option only in the most constrained environments.
-
--   **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
--   **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
--   **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
--   **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
-
-
-### User Account Control: Behavior of the elevation prompt for standard users
-
-The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users.
-
-The options are:
-
--   **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
--   **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Prompt for credentials.** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
-### User Account Control: Detect application installations and prompt for elevation
-
-The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
-
-The options are:
-
--   **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
-
-### User Account Control: Only elevate executables that are signed and validated
-
-The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
-
-The options are:
-
--   **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run.
--   **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
-
-### User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-
--   ...\\Program Files, including subfolders
--   ...\\Windows\\system32
--   ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
-
-**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-The options are:
-
--   **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
--   **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
-
-### User Account Control: Run all administrators in Admin Approval Mode
-
-The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-The options are:
-
--   **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
--   **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
-
-**Note** If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
-
-### User Account Control: Switch to the secure desktop when prompting for elevation
-
-The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
-
-The options are:
-
--   **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
--   **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
-
-When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
-
-| Administrator policy setting | Enabled | Disabled |
-| - | - | - |
-| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-
-When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
-
-| Standard policy setting | Enabled | Disabled |
-| - | - | - |
-| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
-| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
-| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
-
-### User Account Control: Virtualize file and registry write failures to per-user locations
-
-The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
-
-The options are:
-
--   **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
--   **Disabled.** Applications that write data to protected locations fail.
-
-## Registry key settings
-
-The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description.
-
-| Registry key | Group Policy setting | Registry setting |
-| - | - | - |
-| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled<br />1 = Enabled |
-| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled<br />1 = Enabled |
-| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting<br />1 = Prompt for credentials on the secure desktop<br />2 = Prompt for consent on the secure desktop<br />3 = Prompt for credentials<br />4 = Prompt for consent<br />5 (Default) = Prompt for consent for non-Windows binaries<br /> |
-| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests<br />1 = Prompt for credentials on the secure desktop<br />3 (Default) = Prompt for credentials |
-| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)<br />0 = Disabled (default for enterprise) |
-| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled<br/>1 = Enabled |
-| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled<br />1 (Default) = Enabled |
-| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled<br />1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
-| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled<br />1 (Default) = Enabled |

windows/security/identity-protection/user-account-control/user-account-control-overview.md

@@ -1,36 +0,0 @@
----
-title: User Account Control overview
-description: Learn about User Account Control (UAC) and how it helps preventing malware from damaging a device and helps organizations deploy a better-managed desktop.
-ms.collection: 
-  - highpri
-  - tier2
-ms.topic: conceptual
-ms.date: 05/18/2023
----
-
-# User Account Control overview
-
-User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-
-UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
-
-Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
-
-When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
-
-[!INCLUDE [user-account-control-uac](../../../../includes/licensing/user-account-control-uac.md)]
-
-## Practical applications
-
-Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
-
-## Next steps
-
-Learn more about UAC and how to configure it for your organization.
-
-| Topic | Description |
-| - | - |
-| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
-| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC. |
- 

windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md

@@ -1,94 +0,0 @@
----
-title: User Account Control security policy settings 
-description: You can use security policies to configure how User Account Control works in your organization.
-ms.topic: article
-ms.date: 09/24/2021
----
-
-# User Account Control security policy settings
-
-You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
-
-## User Account Control: Admin Approval Mode for the Built-in Administrator account
-
-This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
-
--   **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
--   **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop
-
-This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-
--   **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
--   **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
-
-## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
-This policy setting controls the behavior of the elevation prompt for administrators.
-
--   **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
-
-    >**Note:**  Use this option only in the most constrained environments.
-     
--   **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
--   **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
--   **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
--   **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-
-## User Account Control: Behavior of the elevation prompt for standard users
-
-This policy setting controls the behavior of the elevation prompt for standard users.
-
--   **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
--   **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
-## User Account Control: Detect application installations and prompt for elevation
-
-This policy setting controls the behavior of application installation detection for the computer.
-
--   **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Disabled** App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Intune should disable this policy setting. In this case, installer detection is unnecessary.
-
-## User Account Control: Only elevate executable files that are signed and validated
-
-This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
-
--   **Enabled** Enforces the certificate certification path validation for a given executable file before it's permitted to run.
--   **Disabled** (Default) Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
-
-## User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders: 
-
-- …\\Program Files\\, including subfolders
-- …\\Windows\\system32\\ 
-- …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
-
->**Note:**  Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
- 
--   **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
--   **Disabled** An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
-
-## User Account Control: Turn on Admin Approval Mode
-
-This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
-
--   **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately. They'll allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
--   **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
-
-## User Account Control: Switch to the secure desktop when prompting for elevation
-
-This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
-
--   **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
--   **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
-
-## User Account Control: Virtualize file and registry write failures to per-user locations
-
-This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
-
--   **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry.
--   **Disabled** Apps that write data to protected locations fail.

windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md

@@ -7,7 +7,7 @@ ms.date: 03/31/2023
 
 # Windows Credential Theft Mitigation Guide Abstract
 
-This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
+This article provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
 This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
 
 - Identify high-value assets
@@ -51,7 +51,7 @@ Many other countermeasures are also covered, such as using Microsoft Passport an
 
 ## Detecting credential attacks
 
-This sections covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
+This section covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
 
 ## Responding to suspicious activity
 

windows/security/index.yml

@@ -80,7 +80,7 @@ landingContent:
       - linkListType: overview
         links:
         - text: Overview
-          url: apps.md
+          url: application-security/index.md
       - linkListType: concept
         links:
         - text: Application Control and virtualization-based protection
@@ -125,10 +125,6 @@ landingContent:
   # Card (optional)
   - title: Cloud services
     linkLists:
-      - linkListType: overview
-        links:
-        - text: Overview
-          url: cloud.md
       - linkListType: concept
         links:
         - text: Mobile device management

windows/security/operating-system-security/data-protection/configure-s-mime.md

@@ -0,0 +1,73 @@
+---
+title: Configure S/MIME for Windows
+description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
+ms.topic: how-to
+ms.date: 05/31/2023
+author: paolomatarazzo
+ms.author: paoloma
+---
+
+
+# Configure S/MIME for Windows
+
+Secure/Multipurpose Internet Mail Extensions (S/MIME) provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME enables users to encrypt outgoing messages and attachments so that only intended recipients can read them. To read the messages, recipients must have a digital identification (ID), also known as a certificate.\
+Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
+
+## Message encryption
+
+Users can send encrypted message to recipients that have an encryption certificate.\
+Users can only read encrypted messages if the message is received on their Exchange account, and they have corresponding decryption keys.
+
+Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate isn't available, the app prompts you to remove these recipients before sending the email.
+
+## Digital signatures
+
+A digitally signed message reassures the recipient that the message hasn't been tampered with, and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
+
+[!INCLUDE [email-encryption-smime](../../../../includes/licensing/email-encryption-smime.md)]
+
+## Prerequisites
+
+- [S/MIME is enabled for Exchange accounts](/exchange/security-and-compliance/smime-exo/smime-exo) (on-premises and Exchange Online). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com
+- Valid Personal Information Exchange (PFX) certificates are installed on the device
+  - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
+  - [Use certificates for authentication in Microsoft Intune](/mem/intune/protect/certificates-configure)
+
+## Choose S/MIME settings
+
+On the device, perform the following steps: (add select certificate)
+
+1. Open the Mail app
+1. Open **Settings > Email security**
+   :::image type="content" alt-text="Screenshot of the Windows Mail app, security settings." source="images/email-security.png":::
+1. In **Select an account**, select the account for which you want to configure S/MIME options
+1. Make a certificate selection for digital signature and encryption
+   - Select **Automatically** to let the app choose the certificate
+   - Select **Manually** to specify the certificate yourself from the list of valid certificates on the device
+1. (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages
+
+   > [!NOTE]
+   > The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
+
+1. Select the back arrow
+
+## Encrypt or sign individual messages
+
+1. While composing a message, select **Options** from the ribbon
+1. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message
+
+    :::image type="content" alt-text="Screenshot of the Windows Mail app, showing the options to sign or encrypt message." source="images/sign-encrypt.png":::
+
+## Read signed or encrypted messages
+
+When you receive an encrypted message, the mail app checks whether there's a certificate available on your computer. If there's a certificate available, the message is decrypted when you open it. If your certificate is stored on a smartcard, you'll be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
+
+## Install certificates from a received message
+
+When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
+
+1. Open a signed email
+1. Select the digital signature icon in the reading pane
+1. Select **Install.**
+
+  :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::

windows/security/operating-system-security/data-protection/toc.yml

@@ -100,7 +100,7 @@ items:
     - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
       href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
 - name: Configure S/MIME for Windows
-  href: ../../identity-protection/configure-s-mime.md
+  href: configure-s-mime.md
 - name: Windows Information Protection (WIP)
   href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
   items:

windows/security/operating-system.md

@@ -23,18 +23,19 @@ Use the links in the following table to learn more about the operating system se
 |:---|:---|
 | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.<br><br/> Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
 Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md). <br/><br/>|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
+Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
 | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](encryption-data-protection.md). 
 | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md). <br><br/> |
+| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).|
+| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).|
 | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
 | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. <br><br/>Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).<br/><br/>|
 | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. <br><br/> Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).<br/><br/>
 | Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on. <br/><br/>From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats.  Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).<br/><br/>Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.<br/><br/>Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| 
 | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.<br/><br/> Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | 
+| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | 
 | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses. <br/><br/>In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.<br/><br/> Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
-| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. <br/><br/>Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
+| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. <br/><br/>Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
 | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. <br/><br/>You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.<br/><br/>Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | 
 | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.<br/><br/>Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.<br/><br/>Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |