diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 1656faae57..08eb66ae7c 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -5441,8 +5441,8 @@
"redirect_document_id": false
},
{
- "source_path": "windows/device-security/bitlocker/bitlocker-overview.md",
- "redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-overview",
+ "source_path": "windows/device-security/bitlocker/index.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index",
"redirect_document_id": false
},
{
@@ -9836,8 +9836,8 @@
"redirect_document_id": false
},
{
- "source_path": "windows/keep-secure/bitlocker-overview.md",
- "redirect_url": "/windows/device-security/bitlocker/bitlocker-overview",
+ "source_path": "windows/keep-secure/index.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index",
"redirect_document_id": false
},
{
@@ -20840,6 +20840,81 @@
"redirect_url": "/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/operating-system.md",
+ "redirect_url": "/windows/security/operating-system-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/cryptography-certificate-mgmt.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/secure-the-windows-10-boot-process.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/trusted-boot.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/trusted-boot",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md",
+ "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/information-protection/index.md",
"redirect_url": "/windows/security/encryption-data-protection",
@@ -21504,6 +21579,191 @@
"source_path": "windows/security/apps.md",
"redirect_url": "/windows/security/application-security",
"redirect_document_id": false
- }
+ },
+ {
+ "source_path": "windows/security/information-protection/encrypted-hard-drive.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/encrypted-hard-drive",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-countermeasures.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/encryption-data-protection.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/faq-pde.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-question.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-question",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-security-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/personal-data-encryption/overview-pde.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/index",
+ "redirect_document_id": false
+ }
]
}
\ No newline at end of file
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 665fb1ee2c..23a567db48 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,24 +2,10 @@
-## Week of April 10, 2023
+## Week of May 29, 2023
| Published On |Topic title | Change |
|------|------------|--------|
-| 4/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
-
-
-## Week of March 20, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 3/21/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
-| 3/22/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
-| 3/22/2023 | [Configure Take a Test in kiosk mode](/education/windows/edu-take-a-test-kiosk-mode) | modified |
-| 3/22/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
-| 3/22/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
-| 3/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 3/22/2023 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
-| 3/22/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
+| 5/30/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 6/2/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index 58b9ae8063..12ea6880b4 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -1,7 +1,7 @@
---
title: What's in Set up School PCs provisioning package
-description: List of the provisioning package settings that are configured in the Set up School PCs app.
-ms.date: 08/10/2022
+description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
+ms.date: 06/02/2023
ms.topic: reference
appliesto:
- ✅ Windows 10
@@ -11,115 +11,122 @@ appliesto:
The Set up School PCs app builds a specialized provisioning package with school-optimized settings.
-A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article.
+A key feature of the provisioning package is SharedPC mode. To learn about the technical framework of SharedPC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article.
## Shared PC Mode policies
-This table outlines the policies applied to devices in shared PC mode. If you select to optimize a device for use by a single student, you'll see differences in the following policies:
-* Disk level deletion
-* Inactive threshold
-* Restrict local storage
+
+The following table outlines the policies applied to devices in SharedPC mode. If you select to optimize a device for use by a single student, you find differences in the policies applied:
+
+- Disk level deletion
+- Inactive threshold
+- Restrict local storage
In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting.
For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode).
-|Policy name|Default value|Description|
-|---------|---------|---------|
-|Enable Shared PC mode|True| Configures the PCs so they're in shared PC mode.|
-|Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). |
-|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. |
-|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. |
-|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. |
-|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and doesn't delete accounts. |
-|Enable account manager | True | Enables automatic account management. |
-|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted.
-|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. |
-|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. |
-|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. |
-|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. |
-|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.|
-|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. |
-|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. |
-|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. |
+| Policy name | Default value | Description |
+|--|--|--|
+| Enable Shared PC mode | True | Configures the PCs so they're in shared PC mode. |
+| Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). |
+| Account Model | Only guest, Domain-joined only, or Domain-joined and guest | Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined enables any user in the domain to sign in. Specifying the guest option adds the Guest option to the sign-in screen and enable anonymous guest access to the PC. |
+| Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold starts deleting accounts when available disk space falls below the threshold you set for disk level deletion. It stops deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. |
+| Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. |
+| Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When devices are optimized for shared use, the policy sets 25% of total disk space as the disk space threshold for account caching. When devices are optimized for use by a single student, the policy sets the value to 0% and doesn't delete accounts. |
+| Enable account manager | True | Enables automatic account management. |
+| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. |
+| Kiosk Mode AMUID | `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App` | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. |
+| Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. |
+| Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. |
+| Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. |
+| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. |
+| Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. |
+| Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. |
+| Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. |
-## MDM and local group policies
-This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app.
+## MDM and local group policies
+
+This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app.
For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.
+| Policy name | Default value | Description |
+|--|--|--|
+| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. |
+| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
+| WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. |
+| Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. |
+| Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates |
+| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. |
+| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. |
+| Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. |
+| Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. |
+| Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. |
+| Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device |
+| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode |
+| Allow Cortana | Disabled | Cortana isn't allowed on the device. |
+| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. |
+| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. |
+| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. |
+| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app |
+| Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. |
+| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. |
+| Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. |
+| Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. |
+| Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. |
+| Personalization | Lock screen image URL | Image filename |
+| Update | Active hours end | 5 PM |
+| Update | Active hours start | 7 AM |
+| Updates Windows | Nightly | Sets Windows to update on a nightly basis. |
-| Policy name | Default value | Description |
-|-------------------------------------------------------------|--------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. |
-| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
-| WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. |
-| Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. |
-| Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates |
-| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. |
-| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. |
-| Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. |
-| Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. |
-| Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. |
-| Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device |
-| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode |
-| Allow Cortana | Disabled | Cortana isn't allowed on the device. |
-| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. |
-| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. |
-| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. |
-| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app |
-| Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. |
-| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. |
-| Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. |
-| Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. |
-| Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. |
-| Personalization | Lock screen image URL | Image filename |
-| Update | Active hours end | 5 PM |
-| Update | Active hours start | 7 AM |
-| Updates Windows | Nightly | Sets Windows to update on a nightly basis. |
+## Apps uninstalled from Windows devices
-## Apps uninstalled from Windows 10 devices
-Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include:
+Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are:
+- Mixed Reality Viewer
+- Weather
+- Desktop App Installer
+- Tips
+- Messaging
+- My Office
+- Microsoft Solitaire Collection
+- Mobile Plans
+- Feedback Hub
+- Xbox
+- Mail/Calendar
+- Skype
-* Mixed Reality Viewer
-* Weather
-* Desktop App Installer
-* Tips
-* Messaging
-* My Office
-* Microsoft Solitaire Collection
-* Mobile Plans
-* Feedback Hub
-* Xbox
-* Mail/Calendar
-* Skype
+## Apps installed on Windows devices
-## Apps installed on Windows 10 devices
-Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include:
-* OneDrive
-* OneNote
-* Sway
+Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. The following apps are installed:
+
+- OneDrive
+- OneNote
+- Sway
## Provisioning time estimates
+
The time it takes to install a package on a device depends on the:
-* Strength of network connection
-* Number of policies and apps within the package
-* Other configurations made to the device
+- Strength of network connection
+- Number of policies and apps within the package
+- Other configurations made to the device
-Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision.
+Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision.
-|Configurations |Connection type |Estimated provisioning time |
-|---------|---------|---------|
-|Default settings only | Wi-Fi | 3 to 5 minutes |
-|Default settings + apps | Wi-Fi | 10 to 15 minutes |
-|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes |
-|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes |
+| Configurations | Connection type | Estimated provisioning time |
+|--|--|--|
+| Default settings only | Wi-Fi | 3 to 5 minutes |
+| Default settings + apps | Wi-Fi | 10 to 15 minutes |
+| Default settings + remove preinstalled apps (CleanPC) | Wi-Fi | 60 minutes |
+| Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes |
-## Next steps
-Learn more about setting up devices with the Set up School PCs app.
-* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
-* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
-* [Set up Windows 10 devices for education](set-up-windows-10.md)
+## Next steps
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
\ No newline at end of file
+Learn more about setting up devices with the Set up School PCs app.
+
+- [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+- [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+- [Set up Windows 10 devices for education](set-up-windows-10.md)
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/TOC.yml b/education/windows/toc.yml
similarity index 100%
rename from education/windows/TOC.yml
rename to education/windows/toc.yml
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 2464884671..d2a1f8c29b 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -138,8 +138,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
-| `PC Talker NEO` | 2209 | Win32 | `Kochi System Development` |
-| `PC Talker NEO Plus` | 2209 | Win32 | `Kochi System Development` |
+| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` |
+| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index 80dcf53c89..e42358820a 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -4,7 +4,7 @@ description: Use the Windows PowerShell Get-AppxProvisionedPackage command to ge
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 01/12/2023
+ms.date: 06/05/2023
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-apps
@@ -47,17 +47,47 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ✔️ | ✔️ | ✔️ ||
+ | ✔️ | ✔️ | ✔️ | ✔️️|
---
-- [Bing Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather
+- [Clipchamp](ms-windows-store://pdp/?ProductId=9P1J8S7CCWWT) | Package name: Clipchamp.Clipchamp
- Supported versions:
---
- | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ❌️|
+
+ ---
+
+- [Cortana](ms-windows-store://pdp/?PFN=Microsoft.549981C3f5f10_8wekyb3d8bbwe) | Package name: Microsoft.549981C3f5f10
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ❌ | ✔️ | ✔️ | ✔️️|
+
+ ---
+
+- [Microsoft News](ms-windows-store://pdp/?PFN=Microsoft.BingNews_8wekyb3d8bbwe) | Package name: Microsoft.BingNews
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️️|
+
+ ---
+
+- [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
@@ -67,17 +97,27 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| Use Settings App | ✔️ | ✔️ | ✔️|
---
+- [Xbox App](ms-windows-store://pdp/?PFN=Microsoft.GamingApp_8wekyb3d8bbwe) | Package name: Microsoft.GamingApp
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️️|
+
+ ---
+
- [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
|---| --- | --- | --- |
| ❌ | ✔️| ✔️| ✔️|
@@ -87,7 +127,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️|
@@ -97,7 +137,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️| ✔️| ✔️|
@@ -107,39 +147,49 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️|||
+ | ✔️ | ✔️| ✔️| ✔️|
---
>[!NOTE]
>For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) from the Microsoft Store.
+- [Microsoft Edge](ms-windows-store://pdp/?productid=XPFFTQ037JWMHS) | Package name:Microsoft.MicrosoftEdge.Stable
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ❌ | ✔️ | ✔️ | ✔️|
+
+ ---
+
- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
-- [Microsoft 3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer
+- [3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
-- [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub
+- [Microsoft 365 (Office)](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub
- Supported versions:
---
- | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
@@ -149,7 +199,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
@@ -159,9 +209,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
@@ -169,19 +219,19 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
-- [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | Package name: Microsoft.MSPaint
+- [MPEG2 Video Extension](ms-windows-store://pdp/?PFN=Microsoft.MPEG2VideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.MPEG2VideoExtension
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
@@ -189,9 +239,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ✔️ | ✔️ | ✔️ | ✔️️|
+ | ✔️ | ❌ | ✔️ | ✔️️|
---
@@ -201,25 +251,45 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- OneDrive Sync | Package name: Microsoft.OneDriveSync
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- Microsoft.Outlook.DesktopIntegrationServices
+- Outlook Desktop Integration | Package name: Microsoft.OutlookDesktopIntegrationServices
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
-- [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | Package name: Microsoft.People
+- [Paint](ms-windows-store://pdp/?PFN=Microsoft.paint_8wekyb3d8bbwe) | Package name: Microsoft.Paint
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- [People](ms-windows-store://pdp/?PFN=Microsoft.people_8wekyb3d8bbwe) | Package name: Microsoft.People
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -229,57 +299,78 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ❌ | ❌ | ✔️ | ✔️|
+
+ ---
+
+- [Raw Image Extension](ms-windows-store://pdp/?PFN=Microsoft.RawImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.RawImageExtension
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch
+- [Snipping Tool](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- Store Purchase App | Package name: Microsoft.StorePurchaseApp
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | Package name: Microsoft.SkypeApp
+- [Microsoft To Do](ms-windows-store://pdp/?PFN=Microsoft.ToDos_8wekyb3d8bbwe) | Package name: Microsoft.ToDos
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- UI.Xaml | Package name: Microsoft.UI.Xaml
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | Package name: Microsoft.StorePurchaseApp
+- VCLibs | Package name: Microsoft.VCLibs
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- Microsoft.VP9VideoExtensions
+
+- [VP9 Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.VP9VideoExtensions_8wekyb3d8bbwe) | Microsoft.VP9VideoExtensions
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
- | --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
-
- ---
-
-- [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | Package name: Microsoft.Wallet
- - Supported versions:
-
- ---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -289,7 +380,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -299,17 +390,27 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
+- [Whiteboard](ms-windows-store://pdp/?PFN=Microsoft.Whiteboard_8wekyb3d8bbwe) | Package name: Microsoft.Whiteboard
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️| ✔️|
+
+ ---
+
- [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -319,7 +420,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -329,9 +430,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
@@ -339,7 +440,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -349,7 +450,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -359,7 +460,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -369,19 +470,29 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
-- [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder
+- [Windows Notepad](ms-windows-store://pdp/?PFN=Microsoft.WindowsNotepad_8wekyb3d8bbwe) | Package name: Microsoft.Notepad
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
+ | ✔️ | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- [Windows Sound Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️|
---
@@ -389,29 +500,17 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- - The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you must restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it.
-
- [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
- | --- | --- | --- | --- |
- | ❌ | ✔️ | ✔️ | ✔️|
-
- ---
-
-- [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | Package name: Microsoft.XboxApp
- - Supported versions:
-
- ---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -421,7 +520,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -431,7 +530,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -441,37 +540,37 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- Microsoft.XboxSpeechToTextOverlay
+- Xbox speech to text overlay | Package name: Microsoft.XboxSpeechToTextOverlay
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone
+- [Phone Link](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
-- [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic
+- [Windows Media Player](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@@ -481,8 +580,28 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? |22H2| 21H1 | 20H2 |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
+
+- [Quick Assist](ms-windows-store://pdp/?PFN=MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe) | Package name: MicrosoftCorporationII.QuickAssist
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ✔️ | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- Windows Web Experience | Package name: MicrosoftWindows.Client.WebExperience
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | ❌ | ✔️ | ✔️ | ❌|
+
+ ---
diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md
index efc4c311ec..11134b7ea8 100644
--- a/windows/application-management/system-apps-windows-client-os.md
+++ b/windows/application-management/system-apps-windows-client-os.md
@@ -4,7 +4,7 @@ description: Use the Windows PowerShell Get-AppxPackage command to get a list of
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 2/14/2023
+ms.date: 6/05/2023
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-apps
@@ -44,314 +44,323 @@ The following information lists the system apps on some Windows Enterprise OS ve
- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
-
- ---
-
-- InputApp
-
- ---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | | | ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Hello setup UI | Package name: Microsoft.BioEnrollment
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.CredDialogHost
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.ECApp
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.LockApp
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft Edge | Package name: Microsoft.MicrosoftEdge
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.MicrosoftEdgeDevToolsClient
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
-
- ---
-
-- Microsoft.PPIProjection
-
- ---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | | | ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Win32WebViewHost
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.Apprep.ChxApp
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
-
- ---
-
-- Microsoft.Windows.AssignedAccessLockApp
-
- ---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.CapturePicker
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.CloudExperienceHost
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ContentDeliveryManager
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
-- Cortana | Package name: Microsoft.Windows.Cortana
+- Narrator QuckStart | Package name: Microsoft.Windows.NarratorQuickStart
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | | | ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.OOBENetworkCaptivePort
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.OOBENetworkConnectionFlow
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ParentalControls
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.PinningConfirmationDialog
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
-- Microsoft.Windows.SecHealthUI
+- Microsoft.Windows.PrintQueueActionCenter
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
-- Microsoft.Windows.SecureAssessmentBrowser
+- Microsoft.Windows.ShellExperienceHost
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
-- Start | Package name: Microsoft.Windows.ShellExperienceHost
+- Start | Microsoft.Windows.StartMenuExperienceHost
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- Microsoft.Windows.XGpuEjectDialog
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Microsoft.XboxGameCallableUI
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- MicrosoftWindows.Client.CBS
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- MicrosoftWindows.Client.Core
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- MicrosoftWindows.UndockedDevKit
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
+
+ ---
+
+- NcsiUwpApp
+
+ ---
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Windows.CBSPreview
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Settings | Package name: Windows.immersivecontrolpanel
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
-
- ---
-
-- Print 3D | Package name: Windows.Print3D
-
- ---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ✔️ | ✔️ | | | ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
- Print UI | Package name: Windows.PrintDialog
---
- | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
- | --- | --- | --- | --- | --- | --- |
- | | ❌ | ❌ | ✔️ | ✔️| ✔️ |
+ | Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
+ | --- | --- | --- | --- |
+ | | ✔️ | ✔️ | ✔️|
---
diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md
index 8c3dc27e89..63895b5917 100644
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@@ -68,7 +68,7 @@ EAP XML must be updated with relevant information for your environment. This tas
- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
-For information about EAP Settings, see This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization. Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
-| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring. The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed. This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization. Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
+| Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring. The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed. A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group. The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
-|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
-## Detect an unhealthy Windows 10-based device
+## Detect an unhealthy Windows 10-based device
As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
@@ -394,14 +384,14 @@ When you start a device equipped with TPM, a measurement of different components
The health attestation process works as follows:
-1. Hardware boot components are measured.
-2. Operating system boot components are measured.
-3. If Device Guard is enabled, current Device Guard policy is measured.
-4. Windows kernel is measured.
-5. Antivirus software is started as the first kernel mode driver.
-6. Boot start drivers are measured.
-7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
-8. Boot measurements are validated by the Health Attestation Service
+1. Hardware boot components are measured.
+2. Operating system boot components are measured.
+3. If Device Guard is enabled, current Device Guard policy is measured.
+4. Windows kernel is measured.
+5. Antivirus software is started as the first kernel mode driver.
+6. Boot start drivers are measured.
+7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
+8. Boot measurements are validated by the Health Attestation Service
> [!NOTE]
> By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
@@ -409,16 +399,16 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
The following process describes how health boot measurements are sent to the health attestation service:
-1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
-2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
-3. The remote device heath attestation service then:
+1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3. The remote device heath attestation service then:
- 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
- 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
- 3. Parses the properties in the TCG log.
- 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+ 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+ 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+ 3. Parses the properties in the TCG log.
+ 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
-4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
@@ -426,7 +416,7 @@ The following process describes how health boot measurements are sent to the hea
The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
-### Trusted Platform Module
+### Trusted Platform Module
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
@@ -434,11 +424,11 @@ In a simplified manner, the TPM is a passive component with limited resources. I
A TPM incorporates in a single component:
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
+- An RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
### Endorsement key
@@ -450,15 +440,15 @@ The endorsement key acts as an identity card for the TPM. For more information,
The endorsement key is often accompanied by one or two digital certificates:
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
> [!NOTE]
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
-- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
-- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
+- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
### Attestation Identity Keys
@@ -506,7 +496,7 @@ If the TPM ownership isn't known but the EK exists, the client library will prov
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
> [!NOTE]
-> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
### Windows 10 Health Attestation CSP
@@ -514,10 +504,10 @@ Windows 10 contains a configuration service provider (CSP) specialized for inter
The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
-- Collects data that is used to verify a device's health status
-- Forwards the data to the Health Attestation Service
-- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
-- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+- Collects data that is used to verify a device's health status
+- Forwards the data to the Health Attestation Service
+- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
@@ -532,21 +522,21 @@ The role of Windows Health Attestation Service is essentially to evaluate a set
Checking that a TPM attestation and the associated log are valid takes several steps:
-1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
-2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
-3. Next the logs should be checked to ensure that they match the PCR values reported.
-4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
+3. Next the logs should be checked to ensure that they match the PCR values reported.
+4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the device:
-- Secure Boot enablement
-- Boot and kernel debug enablement
-- BitLocker enablement
-- VSM enabled
-- Signed or unsigned Device Guard Code Integrity policy measurement
-- ELAM loaded
-- Safe Mode boot, DEP enablement, test signing enablement
-- Device TPM has been provisioned with a trusted endorsement certificate
+- Secure Boot enablement
+- Boot and kernel debug enablement
+- BitLocker enablement
+- VSM enabled
+- Signed or unsigned Device Guard Code Integrity policy measurement
+- ELAM loaded
+- Safe Mode boot, DEP enablement, test signing enablement
+- Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
@@ -562,29 +552,29 @@ To make device health relevant, the MDM solution evaluates the device health rep
A solution that uses MDM and the Health Attestation Service consists of three main parts:
-1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
-2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
-3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
+1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
:::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
-1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
-2. The MDM server specifies a nonce along with the request.
-3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
-4. The MDM server:
+1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2. The MDM server specifies a nonce along with the request.
+3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4. The MDM server:
- 1. Verifies that the nonce is as expected.
- 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+ 1. Verifies that the nonce is as expected.
+ 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
-5. The Health Attestation Service:
+5. The Health Attestation Service:
- 1. Decrypts the health blob.
- 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
- 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
- 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
- 5. Sends data back to the MDM server including health parameters, freshness, and so on.
+ 1. Decrypts the health blob.
+ 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+ 3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
+ 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+ 5. Sends data back to the MDM server including health parameters, freshness, and so on.
> [!NOTE]
> The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
@@ -625,7 +615,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bui
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
-### Management of Windows Defender by third-party MDM
+### Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
@@ -641,7 +631,7 @@ If the device isn't registered, the user will get a message with instructions on
:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
-### Office 365 conditional access control
+### Office 365 conditional access control
Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
target groups.
@@ -663,20 +653,20 @@ Depending on the type of email application that employees use to access Exchange
Clients that attempt to access Office 365 will be evaluated for the following properties:
-- Is the device managed by an MDM?
-- Is the device registered with Azure AD?
-- Is the device compliant?
+- Is the device managed by an MDM?
+- Is the device registered with Azure AD?
+- Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
-- Enroll with an MDM solution.
-- Register with Azure AD.
-- Be compliant with the device policies set by the MDM solution.
+- Enroll with an MDM solution.
+- Register with Azure AD.
+- Be compliant with the device policies set by the MDM solution.
> [!NOTE]
> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
-### Cloud and on-premises apps conditional access control
+### Cloud and on-premises apps conditional access control
Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
@@ -689,22 +679,22 @@ For more information about conditional access, see [Azure Conditional Access Pre
For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
-- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
-- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
The following process describes how Azure AD conditional access works:
-1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
-2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
-3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
-4. User logs on and the MDM agent contacts the Intune/MDM server.
-5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
-6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
-7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
-8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
-9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4. User logs on and the MDM agent contacts the Intune/MDM server.
+5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
10. Intune/MDM server updates compliance state against device object in Azure AD.
11. User opens app, attempts to access a corporate managed asset.
12. Access gated by compliance claim in Azure AD.
@@ -719,43 +709,43 @@ Conditional access control is a topic that many organizations and IT pros may no
The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices.
-- **Understand that no solution is 100 percent secure**
+- **Understand that no solution is 100 percent secure**
If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
-- **Use health attestation with an MDM solution**
+- **Use health attestation with an MDM solution**
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
-- **Use Credential Guard**
+- **Use Credential Guard**
Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
-- **Use Device Guard**
+- **Use Device Guard**
Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
-- **Sign Device Guard policy**
+- **Sign Device Guard policy**
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
-- **Use virtualization-based security**
+- **Use virtualization-based security**
When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
-- **Start to deploy Device Guard with Audit mode**
+- **Start to deploy Device Guard with Audit mode**
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
-- **Build an isolated reference machine when deploying Device Guard**
+- **Build an isolated reference machine when deploying Device Guard**
Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
-- **Use AppLocker when it makes sense**
+- **Use AppLocker when it makes sense**
Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users.
-- **Lock down firmware and configuration**
+- **Lock down firmware and configuration**
After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
@@ -765,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
similarity index 83%
rename from windows/security/information-protection/secure-the-windows-10-boot-process.md
rename to windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index be0c4f800d..1383de920b 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -1,24 +1,16 @@
---
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.prod: windows-client
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
+ms.topic: conceptual
+ms.date: 03/09/2023
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 03/09/2023
-ms.technology: itpro-security
-appliesto:
-- ✅ Windows 10 and later
---
# Secure the Windows boot process
-
-The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+Windows has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, Windows includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
@@ -50,9 +42,9 @@ Windows supports four features to help prevent rootkits and bootkits from loadin
Figure 1 shows the Windows startup process.
-.png)
+
-*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
@@ -82,27 +74,23 @@ These requirements help protect you from rootkits while allowing you to run any
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
-The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
+The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
-1. Open the firmware menu, either:
-
- - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+1. Open the firmware menu, either:
+ - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+ - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
+3. Save changes and exit.
- - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
-
-2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
-
-3. Save changes and exit.
-
-Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
+Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
## Trusted Boot
-Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
## Early Launch Anti-Malware
@@ -129,13 +117,12 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
+
-
-.png)
-
-*Figure 2. Measured Boot proves the PC's health to a remote server*
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index 86abf54e55..2945f5f884 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -1,28 +1,28 @@
items:
- name: Secure the Windows boot process
- href: ../../information-protection/secure-the-windows-10-boot-process.md
+ href: secure-the-windows-10-boot-process.md
- name: Secure Boot and Trusted Boot
- href: ../../trusted-boot.md
-- name: Measured Boot
+ href: trusted-boot.md
+- name: Measured Boot 🔗
href: /windows/compatibility/measured-boot
- name: Device health attestation service
- href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+ href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
- name: Cryptography and certificate management
- href: ../../cryptography-certificate-mgmt.md
-- name: The Windows Security app
- href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+ href: cryptography-certificate-mgmt.md
+- name: Windows Security app
+ href: windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+ href: windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+ href: windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
- href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+ href: windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
- href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+ href: windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
- href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+ href: windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
- href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+ href: windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
- href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
+ href: windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
diff --git a/windows/security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
similarity index 87%
rename from windows/security/trusted-boot.md
rename to windows/security/operating-system-security/system-security/trusted-boot.md
index 8790964196..a5b511cc48 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -1,14 +1,11 @@
---
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/21/2021
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: jsuther
+appliesto:
+ - "✅ Windows 11"
---
# Secure Boot and Trusted Boot
@@ -21,7 +18,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
## Trusted Boot
@@ -29,8 +26,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
-[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
## See also
-[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
new file mode 100644
index 0000000000..86a18cc532
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -0,0 +1,37 @@
+---
+title: Account protection in the Windows Security app
+description: Use the Account protection section to manage security for your account and sign in to Microsoft.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+
+# Account protection
+
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
+
+- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
+
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
+
+## Hide the Account protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+You can only configure these settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Account protection**.
+1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
index 817ff1949e..a4e6a2916e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,21 +1,12 @@
---
title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
ms.topic: article
---
# App and browser control
-**Applies to**
-
-- Windows 10 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
@@ -32,13 +23,9 @@ You can only prevent users from modifying Exploit protection settings by using G
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Hide the App & browser control section
@@ -51,13 +38,9 @@ This section can be hidden only by using Group Policy.
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
similarity index 96%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
index 1aed92dc61..d792fabd4f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,20 +1,12 @@
---
title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Customize the Windows Security app for your organization
-**Applies to**
-
-- Windows 10 and later
-
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.

@@ -36,11 +28,8 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-
4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@@ -51,8 +40,8 @@ There are two stages to using the contact card and customized notifications. Fir
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
+
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
index bfc66838f7..f3c57f4410 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@@ -2,52 +2,34 @@
title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
ms.date: 12/31/2018
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: article
---
# Device performance and health
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
-
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Device performance & health section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
+1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Device performance and health**.
-
-6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
new file mode 100644
index 0000000000..35915c9351
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@@ -0,0 +1,53 @@
+---
+title: Device security in the Windows Security app
+description: Use the Device security section to manage security built into your device, including virtualization-based security.
+ms.date: 12/31/2018
+ms.topic: article
+---
+
+# Device security
+
+The **Device security** section contains information and settings for built-in device security.
+
+You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device security section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Disable the Clear TPM button
+
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the TPM Firmware Update recommendation
+
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
index f4a6bb11c6..df1907c2a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@@ -1,50 +1,35 @@
---
title: Family options in the Windows Security app
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Family options
-**Applies to**
-
-- Windows 10 and later
-
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
-
## Hide the Family options section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Family options**.
+1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Family options**.
-
-6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
\ No newline at end of file
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
similarity index 50%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 1d0d162d10..0d538dcab3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,49 +1,32 @@
---
title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
-
# Firewall and network protection
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Firewall & network protection section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
This section can be hidden only by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
+1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
+1. Deploy the updated GPO as you normally do.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-
-1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
-
-6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. Deploy the updated GPO as you normally do.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
-
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
similarity index 82%
rename from windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
index 8ca7f8d1c1..d21b237aae 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,20 +1,12 @@
---
title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
ms.date: 12/31/2018
-ms.technology: itpro-security
ms.topic: article
---
# Hide Windows Security app notifications
-**Applies to**
-
-- Windows 10 and later
-
The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@@ -28,30 +20,21 @@ If you set **Hide all notifications** to **Enabled**, changing the **Hide non-cr
You can only use Group Policy to change these settings.
-
-
## Use Group Policy to hide non-critical notifications
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-
-2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
-
-6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Use Group Policy to hide all notifications
@@ -59,22 +42,18 @@ You can hide all notifications that are sourced from the Windows Security app. T
These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
> [!NOTE]
> For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
-6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
> You can use the following registry key and DWORD value to **Hide all notifications**.
@@ -95,7 +74,7 @@ These notifications can be hidden only by using Group Policy.
| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
@@ -109,7 +88,7 @@ These notifications can be hidden only by using Group Policy.
| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
@@ -131,4 +110,4 @@ These notifications can be hidden only by using Group Policy.
| Dynamic lock on, bluetooth on, but device unpaired | | | No |Account protection notification|
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |Account protection notification|
| NoPa or federated no hello | | | No |Account protection notification|
-| NoPa or federated hello broken | | | No |Account protection notification|
\ No newline at end of file
+| NoPa or federated hello broken | | | No |Account protection notification|
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
new file mode 100644
index 0000000000..f17c9907ba
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -0,0 +1,58 @@
+---
+title: Virus and threat protection in the Windows Security app
+description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
+ms.date: 12/31/2017
+ms.topic: article
+---
+
+# Virus and threat protection
+
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
+
+In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
+
+IT administrators and IT pros can get more configuration information from these articles:
+
+- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
+- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
+- [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
+
+## Hide the Virus & threat protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
+
+## Hide the Ransomware protection area
+
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+
+This area can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
similarity index 91%
rename from windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
rename to windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 41b535c96b..039d7fc3a6 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -1,32 +1,17 @@
---
-title: The Windows Security app
+title: Windows Security app
description: The Windows Security app brings together common Windows security features into one place.
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-ms.collection:
- - highpri
- - tier2
ms.date: 12/31/2017
ms.topic: article
+ms.collection:
+ - highpri
+ - tier2
---
-# The Windows Security app
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Windows Security app
This library describes the Windows Security app, and provides information on configuring certain features, including:
-
-
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -52,7 +37,7 @@ For more information about each section, options for configuring the sections, a
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
> [!NOTE]
@@ -65,9 +50,11 @@ For more information about each section, options for configuring the sections, a
- Select the icon in the notification area on the taskbar.

+
- Search the Start menu for **Windows Security**.

+
- Open an area from Windows **Settings**.

@@ -78,7 +65,7 @@ For more information about each section, options for configuring the sections, a
## How the Windows Security app works with Windows security features
> [!IMPORTANT]
-> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
>
> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
@@ -86,7 +73,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
index a0ee50c4bb..8df8195bdd 100644
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@@ -1,6 +1,6 @@
items:
- name: Overview
- href: ../operating-system.md
+ href: index.md
- name: System security
href: system-security/toc.yml
- name: Virus and threat protection
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
index 18f1795945..1b896b0738 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@@ -1,18 +1,8 @@
---
title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.localizationpriority: medium
ms.date: 05/31/2023
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
ms.topic: reference
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index 74a3cd15d9..f474a45688 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,18 +1,10 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.prod: windows-client
-ms.technology: itpro-security
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.reviewer: paoloma
-manager: aaroncz
-ms.localizationpriority: medium
ms.date: 05/31/2023
-adobe-target: true
+ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
-ms.topic: conceptual
---
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index 8b326614fd..3940c5070c 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -1,19 +1,12 @@
---
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
+ms.date: 05/31/2023
+ms.topic: article
ms.localizationpriority: high
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-security
-adobe-target: true
ms.collection:
- tier2
- highpri
-ms.date: 05/31/2023
-ms.topic: article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
index 9f7c2d6f2f..8e86c254c7 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -2,7 +2,8 @@ items:
- name: Microsoft Defender Antivirus 🔗
href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
- name: Configuring LSA Protection
- href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
+ href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+ preserveContext: true
- name: Attack surface reduction (ASR) 🔗
href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
- name: Tamper protection for MDE 🔗
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
deleted file mode 100644
index d5a1753a2a..0000000000
--- a/windows/security/operating-system.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.reviewer:
-ms.topic: article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 09/21/2021
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Experience/AllowScreenRecorder
+```
+
+
+
+
+This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app.
+
+- If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app.
+
+- If you enable or don't configure this policy setting, users will be able to access screen recording functionality.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled |
+| 1 (Default) | Enabled |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowScreenRecorder |
+| Path | Programs > AT > WindowsComponents > SnippingTool |
+
+
+
+
+
+
+
+
## AllowSharingOfOfficeFiles
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 65ea9ad54a..3e87f1d1ca 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -4,7 +4,7 @@ description: Learn more about the Notifications Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 06/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,10 +16,70 @@ ms.topic: reference
# Policy CSP - Notifications
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+
+## DisableAccountNotifications
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Notifications/DisableAccountNotifications
+```
+
+
+
+
+This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile). Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription. If you enable this policy setting, Windows won't send account related notifications for local and MSA users to the user tile in Start.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled |
+| 1 | Enabled |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableAccountNotifications |
+| Path | AccountNotifications > AT > WindowsComponents > AccountNotifications |
+
+
+
+
+
+
+
+
## DisallowCloudNotification
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 8ed5d9c722..df6fe58dd7 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -4,7 +4,7 @@ description: Learn more about the Settings Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 06/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -735,15 +735,15 @@ showonly:about;bluetooth.
Example: to specify that only the Bluetooth page (which has URI ms-settings:bluetooth) should be hidden:
hide:bluetooth.
-
-The availability of per-user support is documented here:
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index 7771d079d3..c7de504eb0 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/01/2023
+ms.date: 06/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the R
* 'TotalBytesDownloaded' is equal to the file size.
* Status is set to 'Caching' the content so future peers can use it.
* Download was happening in the foreground.
* DownloadMode is set to 'Group' and no peers were found.
* No distinct observations seen between Window 10 and Windows 11 devices. |
+| *No peers were found on the first machine downloading the content.
* 'TotalBytesDownloaded' is equal to the file size.
*Status is set to 'Caching' the content so future peers can use it.
* Download was happening in the foreground.
*DownloadMode is set to 'Group' and no peers were found.
* No distinct observations seen between Window 10 and Windows 11 devices. |
*Wait 5 minutes*.
@@ -102,7 +102,7 @@ The following set of instructions will be used for each machine:
|--------|--------------------------------|
| :::image type="content" source="images/test-scenarios/win10/m2-basic-complete.png" alt-text="Windows 10 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win10/m2-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m2-basic-complete.png" alt-text="Windows 11 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win11/m2-basic-complete.png":::|
| **Observations** | **Observations**|
-| * A peer was found for the content and 87% of total bytes came from the peer.
* One peer was found for the piece of content, which is expected as there are only two devices in the peering group.
* Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't.
* 'DownloadDuration' is roughly the same between machines.|* A peer was found for the content and 90% of total bytes came from the peer.
* All other points are the same as Windows 10 results. |
+| *A peer was found for the content and 87% of total bytes came from the peer.
* One peer was found for the piece of content, which is expected as there are only two devices in the peering group.
*Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't.
* 'DownloadDuration' is roughly the same between machines.|*A peer was found for the content and 90% of total bytes came from the peer.
* All other points are the same as Windows 10 results. |
### Scenario 2: Advance Setup
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index 4cccd98fa6..867466f2de 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -23,13 +23,13 @@ sections:
- name: Ignored
questions:
- question: Does Delivery Optimization work with WSUS?
- answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
+ answer: Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
- question: Which ports does Delivery Optimization use?
answer: |
- Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
+ Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
- Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
+ Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
@@ -40,12 +40,11 @@ sections:
answer: |
**For communication between clients and the Delivery Optimization cloud service**:
- - `*.do.dsp.mp.microsoft.com`
+ - `*.prod.do.dsp.mp.microsoft.com`
**For Delivery Optimization metadata**:
- `*.dl.delivery.mp.microsoft.com`
- - `*.emdl.ws.microsoft.com`
**For the payloads (optional)**:
@@ -66,11 +65,11 @@ sections:
- question: How does Delivery Optimization handle VPNs?
answer: |
- Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
+ Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
- If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
+ If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
- If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
+ If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
With split tunneling, make sure to allow direct access to these endpoints:
@@ -80,7 +79,6 @@ sections:
Delivery Optimization metadata:
- - `http://emdl.ws.microsoft.com`
- `http://download.windowsupdate.com`
- `http://*.dl.delivery.mp.microsoft.com`
@@ -107,4 +105,28 @@ sections:
- question: How does Delivery Optimization determine which content is available for peering?
answer: |
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
+
+ - question: What is the recommended configuration for Delivery Optimization used with cloud proxies (for example, Zscaler)?
+ answer: |
+ The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
+ At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service:
+
+ - *.prod.do.dsp.mp.microsoft.com
+
+ If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
+ - question: How do I turn off Delivery Optimization?
+ answer: |
+ Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
+ If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
+
+ > [!NOTE]
+ > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
+
+ - question: Delivery Optimization is using device resources and I can't tell why?
+ answer: |
+ Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Oftentimes customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
+
+ - question: What Delivery Optimization settings are available?
+ answer: |
+ There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc.
\ No newline at end of file
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 04c0b9e893..550dbf7563 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -26,15 +26,15 @@ ms.collection: tier3
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
-You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
+You find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows).
-**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
+**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
## Allow service endpoints
-When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information.
+When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
## Allow content endpoints
@@ -42,9 +42,9 @@ When using a firewall, it's important that the content endpoints are allowed and
## Recommended Delivery Optimization settings
-Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
+Delivery Optimization offers a great many settings to fine-tune its behavior see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list, but for the most efficient performance, there are just a few key parameters that have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
-- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)?
+- Does your topology include multiple breakouts to the internet that is, a "hybrid WAN" or are there only a few connections to the internet, so that all requests appear to come from a single external IP address a "hub and spoke" topology?
- If you use boundary groups in your topology, how many devices are present in a given group?
- What percentage of your devices are mobile?
- Do your devices have a lot of free space on their drives?
@@ -69,17 +69,17 @@ Quick-reference table:
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
-To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
+In Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
-To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2.
+Using with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2.
### Hub and spoke topology with boundary groups
-The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet.
+The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP is considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since the Active Directory sites are used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet.
-To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
+With Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
-To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**.
+Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**.
> [!NOTE]
> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
@@ -88,25 +88,25 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza
If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later.
-To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
+With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
-To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60.
+Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60.
### Plentiful free space and large numbers of devices
-Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
+Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
-To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices).
+With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
-To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices).
+Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
### Lab scenario
-In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period.
+In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload more content over a longer period.
-To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
+With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
-To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days).
+Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days).
[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios.
@@ -140,7 +140,7 @@ Try these steps:
1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3.
-3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
+3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.prod.do.dsp.mp.microsoft.com**.
### The cloud service doesn't see other peers on the network
@@ -148,8 +148,8 @@ Try these steps:
1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
-3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero.
-4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
+3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be nonzero.
+4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**.
> [!NOTE]
> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer.
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 94d89f77a1..ba8be8bce6 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -23,9 +23,9 @@ ms.date: 12/31/2017
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
-Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional.
+Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
-To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content.
+To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).
@@ -50,9 +50,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------|---------------|----------------|----------|----------------|
-| Windows Update (feature updates quality updates, language packs, drivers) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store for Business files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index 7b4290c2a6..4be489751a 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -23,8 +23,9 @@ ms.collection: tier3
> Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings:
-- Microsoft Connected Cache for Internet Service Providers
-- Microsoft Connected Cache for Enterprise and Education (early preview).
+
+- Microsoft Connected Cache for Internet Service Providers
+- Microsoft Connected Cache for Enterprise and Education (early preview)
Both products are created and managed in the cloud portal.
@@ -33,7 +34,7 @@ Both products are created and managed in the cloud portal.
> [!NOTE]
> Microsoft Connected Cache for Internet Service Providers is now in public preview. To onboard, follow the instructions in the [Operator sign up and service onboarding](mcc-isp-signup.md) article.
-Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
+Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
## Microsoft Connected Cache for Enterprise and Education (early preview)
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 87d135c896..d63bb5d612 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -12,7 +12,7 @@ ms.date: 12/31/2017
ms.collection: tier3
---
-# What's new in Delivery Optimization
+# What's new in Delivery Optimization
**Applies to**
@@ -25,14 +25,19 @@ Microsoft Connected Cache (MCC) is a software-only caching solution that deliver
For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md).
-## New in Delivery Optimization for Windows 10, version 20H2 and Windows 11
+There are two different versions:
-- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
-- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization will connect to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
+- [Microsoft Connected Cache for Enterprise and Education](mcc-ent-edu-overview.md)
+- [Microsoft Connected Cache for ISPs](mcc-isp-overview.md).
+
+## New in Delivery Optimization for Windows
+
+- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2.
+
+- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)."
+- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
> [!NOTE]
> The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
- Starting with Windows 11, the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.
-
-
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index 29746b5180..4332f5785a 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -94,22 +94,6 @@ As of the date of publication, the following are the USB drives currently certif
- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws))
- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws))
- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
-- Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
-
- We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace.
-
-- Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
-
- > [!IMPORTANT]
- > You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go, see [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720).
-
-
-- Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
-
- > [!TIP]
- > This device contains an embedded smart card.
-
-
- Super Talent Express RC4 for Windows To Go
@@ -168,4 +152,4 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your Wi
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
\ No newline at end of file
+[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index 5504be6122..c77bd7cf97 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -1,7 +1,7 @@
---
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
-ms.date: 05/03/2023
+ms.date: 06/07/2023
ms.author: mstewart
author: mestew
manager: aaroncz
@@ -19,28 +19,39 @@ If you're unable to sign in to the Microsoft 365 admin portal, check the [Micros
To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter.
+## Prerequisites
+
+Ensure the following prerequisites are met to display the Windows release health page in the Microsoft 365 admin center:
+
+- One of the following licenses:
+ - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+ - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+
+- Sign into the Microsoft 365 admin center using an [admin role](/microsoft-365/admin/add-users/about-admin-roles).
+ - Most roles containing the word `administrator` give you access to the Windows release health page such as [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator), and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
+
+> [!NOTE]
+> Currently, Windows release health isn't available for Government Community Cloud (GCC) tenants.
+
## How to review Windows release health information
-1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an administrator account.
-
- > [!NOTE]
- > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).
+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an admin account.
-2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
+1. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
-3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system.
+1. On the **Windows release health** page, you have access to known issue information for all supported versions of the Windows operating system.
The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
- 
+ 
- A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
+ A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab shows known issues that are active or resolved within the last 30 days.
- 
+ 
The **History** tab shows the history of known issues that have been resolved for up to 6 months.
- 
+ 
The known issue summary provides the following information:
@@ -56,7 +67,7 @@ To be informed about the latest updates and releases, follow [@WindowsUpdate](ht
## Sign up for email notifications
-You have the option to sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications:
+You can sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications:
1. Go to the [Windows release health page](https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth).
1. Select **Preferences** > **Email**, then select **Send me email notifications about Windows release health**.
@@ -78,20 +89,20 @@ In the **Windows release health** experience, every known issue is assigned as s
|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. |
|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. |
|**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
-|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
-|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
-|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. |
-|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. |
+|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue stays in this state until a KB article is released by Microsoft to resolve the known issue. |
+|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue caused by a software or driver from a third-party software or device manufacturer. A known issue stays in this state until the issue is resolved by Microsoft or the third-party. |
+|**Resolved** | A solution was released by Microsoft and was documented in a KB article that resolves the known issue once it's deployed in the customer's environment. |
+|**Resolved: External** | A solution was released by Microsoft or a third-party that resolves the known issue once it's deployed in the customer's environment. |
## Known issue history
The Windows release health page lets you view the history of all status updates posted for a specific known issue. To view all past updates posted for a given issue, select **View history** on the issue detail page.
-
+
-A list of all status updates posted in the selected timeframe will be displayed, as shown below. You can expand any row to view the specific information provided in that status update.
+A list of all status updates posted in the selected time frame is displayed. You can expand any row to view the specific information provided in that status update.
-
+
## Frequently asked questions
@@ -104,14 +115,14 @@ A list of all status updates posted in the selected timeframe will be displayed,
Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
- **Where do I find Windows release health?**
- After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
+ After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** to display the **Windows release health** menu option.
- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?**
- No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
+ No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
- **How often will content be updated?**
- In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
+ To ensure Windows customers have important information as soon as possible, all major known issues are shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
- **Can I share this content publicly or with other Windows customers?**
Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
@@ -131,7 +142,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
- **Why can't I click to the KB article from the Known issues or History tabs?**
- Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane.
+ Within the issue description, you'll find links to the KB articles. In the known issue and history tabs, the entire row is a clickable entry to the issue's Details pane.
- **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**
We're working to build the Windows release health experience on mobile devices in a future release.
@@ -142,7 +153,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
- The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`.
+ The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. The ID is the letters `WI` followed by a number, similar to `WI123456`.
- **How can I learn more about expanding my use of Microsoft 365 admin center?**
For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index 1eb791b4fd..d4302cecac 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -37,8 +37,8 @@ to opt out of automatic restarts until the deadline is reached (although we reco
restarts for maximum update velocity).
We recommend you set deadlines as follows:
-- Quality update deadline, in days: 3
-- Feature update deadline, in days: 7
+- Quality update deadline, in days: 2
+- Feature update deadline, in days: 2
Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded
later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you
@@ -62,7 +62,7 @@ be forced to update immediately when the user returns.
We recommend you set the following:
-- Grace period, in days: 2
+- Grace period, in days: 5
Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs
regardless of [active hours](#active-hours).
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 54da439aad..0b7e01ecae 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -22,11 +22,12 @@ ms.date: 12/31/2017
- Windows 10
- Windows 11
-
-Windows Update for Business is a free service that is available for all premium editions including Windows 10 and Windows 11 Pro, Enterprise, Pro for Workstation, and Education editions.
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
+- Pro, including Pro for Workstations
+- Education
+- Enterprise, including Enterprise LTSC, IoT Enterprise, and IoT Enterprise LTSC
Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
@@ -49,7 +50,7 @@ Windows Update for Business enables an IT administrator to receive and manage a
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
-- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available.
+- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
@@ -73,7 +74,7 @@ The branch readiness level enables administrators to specify which channel of fe
#### Defer an update
-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
+A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
|Category |Maximum deferral period |
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 3549b7bdb6..96a06feeab 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -36,7 +36,7 @@ With a current version, it's best to use the new policy introduced in June 2019
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 3 | 7 | 2 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 2 | 5 |
When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index 9c2455ffd2..da09d3e2d2 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -11,17 +11,19 @@ ms.technology: itpro-updates
---
# Delivery Optimization data in Windows Update for Business reports
+
***(Applies to: Windows 11 & Windows 10)***
-[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
+[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
Windows Update for Business reports provides Delivery Optimization information in the following places:
+
- The Windows Update for Business reports [workbook](wufb-reports-workbook.md)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md)
-Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices.
+Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices.
## Delivery Optimization terms
@@ -29,23 +31,24 @@ Windows Update for Business reports uses the following Delivery Optimization ter
- **Peer**: A device in the solution
- **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes:
- - LAN (1)
- - Group (2)
- - Internet (3)
+ - LAN (1)
+ - Group (2)
+ - Internet (3)
+
- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes:
- - HTTP Only (0)
- - Simple Mode (99)
- - Bypass (100), deprecated in Windows 11
+ - HTTP Only (0)
+ - Simple Mode (99)
+ - Bypass (100), deprecated in Windows 11
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
- - If bandwidth savings are <= 60%, a *Warning* icon is displayed
- - When bandwidth savings are <10%, an *Error* icon is displayed.
+- If bandwidth savings are <= 60%, a *Warning* icon is displayed
+- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is the number of devices configured to use peering.
- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
-- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'.
+- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization first looks for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they are calculated in 'LAN Bytes'.
- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN).
- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded.
- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded.
@@ -53,16 +56,16 @@ Windows Update for Business reports uses the following Delivery Optimization ter
## Calculations for Delivery Optimization
-There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it:
+Each calculated values used in the Delivery Optimization report are listed below.
**Efficiency (%) Calculations**:
-
+
- Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) /
(BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
-- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
+- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
**Bytes Calculations**:
@@ -92,7 +95,7 @@ There are several calculated values that appear on the Delivery Optimization rep
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
```powershell
-$text = "
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
-| First | **1%** | The First ring is the first group of production users to receive a change.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
+| First | Ring 1 | **1%** | The First ring is the first group of production users to receive a change.
|
| Inactive | All the Autopatch groups within the release have been assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |
|
| Paused | All phases in the release are paused. The release will remain paused until you resume it. |
|
+| Canceled | All phases in the release are canceled. |
|
##### Phase statuses
@@ -105,6 +106,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo
| Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. |
| Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. |
| Paused | Phase is paused. You must resume the phase. |
+| Canceled | Phase is canceled. All Autopatch groups within the phase can be used with a new release. A phase that's canceled can't be deleted. |
#### Details about Windows feature update policies
@@ -146,6 +148,9 @@ The following table is an example of the Windows feature update policies that we
2. Additionally, the formula for the goal completion date is `
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
-| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
+| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 655c8961da..b7b8a64228 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,30 +1,30 @@
---
-title: Windows Hello for Business Deployment Known Issues
-description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-ms.date: 05/03/2021
-ms.topic: article
+title: Windows Hello for Business known deployment issues
+description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues.
+ms.date: 06/02/2023
+ms.topic: troubleshooting
---
-# Windows Hello for Business Known Deployment Issues
+# Windows Hello for Business known deployment issues
-The content of this article is to help troubleshoot and workaround known deployment issues for Windows Hello for Business. Each issue below will describe the applicable deployment type Windows versions.
+The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.
-## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error
+## PIN reset on Azure AD join devices fails with *We can't open that page right now* error
-PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
+PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
-### Identifying Azure AD joined PIN Reset Allowed Domains Issue
+### Identify PIN Reset allowed domains issue
-The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication.
+The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Azure AD Join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Azure AD credentials and completes MFA.
-In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
+In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
-If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now".
+If you're a customer of *Azure US Government* cloud, PIN reset also attempts to navigate to a domain that isn't included in the default allowlist. The result is the message *We can't open that page right now*.
-### Resolving Azure AD joined PIN Reset Allowed Domains Issue
+### Resolve PIN Reset allowed domains issue
-To resolve this error, a list of allowed domains for PIN reset can be configured using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure this policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices).
+To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices).
-## Hybrid Key Trust Logon Broken Due to User Public Key Deletion
+## Hybrid key trust sign in broken due to user public key deletion
Applies to:
@@ -34,37 +34,36 @@ Applies to:
In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Azure AD Connect delta sync cycle.
-### Identifying User Public Key Deletion Issue
+### Identify user public key deletion issue
-After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key will be written to the msDS-KeyCredentialLink attribute of the user object.
+After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object.
-Before the user's Windows Hello for Business key is synced, sign-in's with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* After the sync is successful, the user should be able to log in and unlock with their PIN or enrolled biometrics.
+Before the user's Windows Hello for Business key syncs, sign-ins with Windows Hello for Business fail with the error message *That option is temporarily unavailable. For now, please use a different method to sign in.* After the key syncs successfully, the user can sign in and unlock with their PIN or enrolled biometrics.
-In environments impacted with this issue, after the first sign-in with Windows Hello for Business after provisioning is completed, the next sign-in attempt will fail. In environments where domain controllers are running a mix of builds, only some may be impacted by this issue and subsequent logon attempts may be sent different domain controllers. This may result in the sign-in failures appearing to be intermittent.
+In environments with the issue, after the first sign-in with Windows Hello for Business and provisioning is complete, the next sign-in attempt fails. In environments where domain controllers are running a mix of builds, some users may be impacted by the issue, and subsequent sign in attempts may be sent to different domain controllers. The result is intermittent sign-in failures.
-After the initial logon attempt, the user's Windows Hello for Business public key is being deleted from the msDS-KeyCredentialLink attribute. This can be verified by querying a user's msDS-KeyCredentialLink attribute before and after sign-in. The msDS-KeyCredentialLink can be queried in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying *msds-keycredentiallink* for the *-Properties* parameter.
+After the initial sign-in attempt, the user's Windows Hello for Business public key is deleted from the `msDS-KeyCredentialLink attribute`. You can verify the deletion by querying a user's `msDS-KeyCredentialLink` attribute before and after sign-in. You can query the `msDS-KeyCredentialLink` in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying `msds-keycredentiallink` for the `-Properties` parameter.
-### Resolving User Public Key Deletion Issue
+### Resolve user public key deletion issue
-To resolve this behavior, upgrade Windows Server 2016 and 2019 domain controllers to with the latest patches. For Windows Server 2016, this behavior is fixed in build 14393.4104 ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, this behavior is fixed in build 17763.1637 ([KB4592440](https://support.microsoft.com/help/4592440)).
+To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
-## Azure AD Joined Device Access to On-Premises Resources Using Key Trust and Third-Party Certificate Authority (CA)
+## Azure AD joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
Applies to:
- Azure AD joined key trust deployments
- Third-party certificate authority (CA) issuing domain controller certificates
-Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
+Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
-For more information, read [Guidelines for enabling smart card logon with third-party certification authorities](
-/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
+For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
-### Identifying On-premises Resource Access Issues with Third-Party CAs
+### Identify on-premises resource access issues with third party CAs
-This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information:
+The issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client fails to place a `TGS_REQ` request when a user attempts to access a resource. On the client, it can be observed in the Kerberos operation event log under `Application and Services/Microsoft/Windows/Security-Kerberos/Operational`. The logs are disabled by default. The failure event for this case includes the following information:
-```console
+```Console
Log Name: Microsoft-Windows-Kerberos/Operational
Source: Microsoft-Windows-Security-Kerberos
Event ID: 107
@@ -80,18 +79,18 @@ Expected Domain Name: ad.contoso.com
Error Code: 0xC000006D
```
-### Resolving On-premises Resource Access Issue with Third-Party CAs
+### Resolve on-premises resource access issue with third party CAs
-To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name).
-Example Subject: CN=DC1 OU=Domain Controller, DC=ad, DC=contoso, DC=com
+To resolve the issue, domain controller certificates must be updated so that the certificate subject contains the directory path of the server object (distinguished name).
+Example Subject: `CN=DC1,OU=Domain Controllers,DC=ad,DC=contoso,DC=com`
Alternatively, you can set the subject alternative name (SAN) of the domain controller certificate to contain the server object's fully qualified domain name and the NETBIOS name of the domain.
Example Subject Alternative Name:
-dns=dc1.ad.contoso.com
-dns=ad.contoso.com
-dns=ad
+ > `dns=dc1.ad.contoso.com`\
+ > `dns=ad.contoso.com`\
+ > `dns=ad`
-## Key Trust Authentication Broken for Windows Server 2019
+## Key trust authentication broken for Windows Server 2019
Applies to:
@@ -99,21 +98,21 @@ Applies to:
- Hybrid key trust deployments
- On-premises key trust deployments
-Domain controllers running early versions of Windows Server 2019 have an issue that prevents key trust authentication from working properly. Networks traces report KDC_ERR_CLIENT_NAME_MISMATCH.
+Domain controllers running early versions of Windows Server 2019 have an issue that prevents key trust authentication from working properly. Networks traces report *KDC_ERR_CLIENT_NAME_MISMATCH*.
-### Identifying Server 2019 Key Trust Authentication Issue
+### Identify Windows Server 2019 key trust authentication issue
-On the client, authentication with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."*
+On the client, authentication with Windows Hello for Business fails with the error message, *That option is temporarily unavailable. For now, please use a different method to sign in.*
-This error is usually presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring.
+The error is presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Azure AD to AD. If a user's key isn't synced from Azure AD and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs.
-The other indicator of this failure case can be identified using network traces. If network traces are captured for a key trust sign-in event, the traces will show kerberos failing with the error KDC_ERR_CLIENT_NAME_MISMATCH.
+Another indicator of the failure can be identified using network traces. If you capture network traces for a key trust sign-in event, the traces show Kerberos failing with the error *KDC_ERR_CLIENT_NAME_MISMATCH*.
-### Resolving Server 2019 Key Trust Authentication Issue
+### Resolve Server 2019 key trust authentication issue
-This issue was fixed in Windows Server 2019, build 17763.316 ([KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044)). Upgrade all Windows Server 2019 domain controllers to Windows Server 2019, build 17763.316 or newer to resolve this behavior.
+The issue is resolved in Windows Server 2019, build *17763.316* ([KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044)). Upgrade all Windows Server 2019 domain controllers to the build *17763.316* or newer to resolve the issue.
-## Certificate Trust Provisioning with AD FS Broken on Windows Server 2019
+## Certificate trust provisioning with AD FS broken on windows server 2019
Applies to:
@@ -121,13 +120,13 @@ Applies to:
- Hybrid certificate trust deployments
- On-premises certificate trust deployments
-AD FS running on Windows Server 2019 fails to complete device authentication properly due to an invalid check of incoming scopes in the request. Device authentication to AD FS is a requirement for Windows Hello for Business to enroll a certificate using AD FS. The client will block Windows Hello for Business provisioning until this authentication is successful.
+AD FS running on Windows Server 2019 fails to complete device authentication due to an invalid check of incoming scopes in the request. Device authentication to AD FS is a requirement for Windows Hello for Business to enroll a certificate using AD FS. The client blocks Windows Hello for Business provisioning until the authentication is successful.
-### Identifying Certificate Trust with AD FS 2019 Enrollment Issue
+### Identify certificate trust with AD FS 2019 enrollment issue
-The provisioning experience for Windows Hello for Business will launch if a set of prerequisite checks done by the client are successful. The result of the provisioningAdmin checks is available in event logs under Microsoft-Windows-User Device Registration. If provisioning is blocked because device authentication has not successfully occurred, there will be an event ID 362 in the logs that states that *User has successfully authenticated to the enterprise STS: No*.
+The provisioning experience for Windows Hello for Business launches if the prerequisite checks are successful. The result of the provisioningAdmin checks is available in event logs under **Microsoft-Windows-User Device Registration**. If provisioning is blocked because device authentication doesn't succeed, event ID *362* is logged stating *User has successfully authenticated to the enterprise STS: No*.
-```console
+```Console
Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Date:
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the Resource Manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command couldn't be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card |
## Smart card error events
| **Event ID** | **Error Message** | **Description** |
|--------------|--------------------------------------------|-------------------------------------------------------------------------------|
-| 202 | Failed to initialize Server Application | An error occurred, and the service cannot initialize properly. Restarting the computer may resolve the issue. |
-| 203 | Server Control has no memory for reader reference object. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 204 | Server Control failed to create shutdown event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 202 | Failed to initialize Server Application | An error occurred, and the service can't initialize properly. Restarting the computer may resolve the issue. |
+| 203 | Server Control has no memory for reader reference object. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 204 | Server Control failed to create shutdown event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
%1 = Name of the smart card reader that is duplicated |
-| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
-| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
-| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 504 | Resource Manager cannot create shutdown event flag: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 506 | Smart Card Resource Manager failed to register service: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 206 | Failed to create global reader change event. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 401 | Reader shutdown exception from eject smart card command | A smart card reader couldn't eject a smart card while the smart card reader was shutting down. |
+| 406 | Reader object can't Identify Device | A smart card reader didn't properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader won't be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
+| 502 | Initialization of Service Status Critical Section failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 504 | Resource Manager can't create shutdown event flag: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 506 | Smart Card Resource Manager failed to register service: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 506 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 507 | No memory available for Service Status Critical Section | There is not enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
+| 507 | No memory available for Service Status Critical Section | There isn't enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
| 508 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 509 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 510 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 511 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 512 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 513 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 514 | Smart Card Resource Manager failed to add reader %2: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name |
-| 515 | Smart Card Resource Manager failed to declare state: %1 | This is an internal unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code |
-| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code |
-| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name |
+| 514 | Smart Card Resource Manager failed to add reader %2: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name |
+| 515 | Smart Card Resource Manager failed to declare state: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code |
+| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code |
+| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name |
| 521 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
| 523 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name |
-| 602 | WDM Reader driver initialization cannot open reader device: %1 | The service cannot open a communication channel with the smart card reader. You cannot use the smart card reader until the issue is resolved.
%1 = Windows error code |
-| 603 | WDM Reader driver initialization has no memory available to control device %1 | There is not enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader |
-| 604 | Server control cannot set reader removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 605 | Reader object failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 606 | Reader object failed to create removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 607 | Reader object failed to start monitor thread: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
-| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
-| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
-| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
-| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
-| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
-| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. |
-| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 602 | WDM Reader driver initialization can't open reader device: %1 | The service can't open a communication channel with the smart card reader. You can't use the smart card reader until the issue is resolved.
%1 = Windows error code |
+| 603 | WDM Reader driver initialization has no memory available to control device %1 | There isn't enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader |
+| 604 | Server control can't set reader removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 605 | Reader object failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 606 | Reader object failed to create removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 607 | Reader object failed to start monitor thread: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 608 | Reader monitor failed to create power down timer: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 609 | Reader monitor failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
+| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader can't successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
+| 611 | Smart Card Reader initialization failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
+| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
+| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
+| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 621 | Server Control failed to access start event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. |
+| 622 | Server Control failed to access stop event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
## Smart card Plug and Play events
| **Event ID** | **Event type** | **Event Message** | **Description** |
|--------------|----------------|-----------------------------------------------------------------------------------------|----------------|
-| 1000 | Error | Could not get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play could not obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code |
+| 1000 | Error | Couldn't get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play couldn't obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code |
| 1001 | Information | Software successfully installed for smart card in reader %1. The smart card name is %2. | Smart card Plug and Play successfully installed a minidriver for the inserted card.
%1 = Smart card reader name
%2 = Name of new smart card device |
## See also
diff --git a/windows/security/includes/sections/application-application-control-overview.md b/windows/security/includes/sections/application-application-control-overview.md
new file mode 100644
index 0000000000..00b89b3535
--- /dev/null
+++ b/windows/security/includes/sections/application-application-control-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Control features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Control features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application-application-isolation-overview.md b/windows/security/includes/sections/application-application-isolation-overview.md
new file mode 100644
index 0000000000..ff7f030ea9
--- /dev/null
+++ b/windows/security/includes/sections/application-application-isolation-overview.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Isolation features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|❌|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Isolation features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|Yes|Yes|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
new file mode 100644
index 0000000000..3f730cfd2e
--- /dev/null
+++ b/windows/security/includes/sections/application.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Application Control
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
+| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.
Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
+
+## Application Isolation
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
+| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
+| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
+| **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
+| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
diff --git a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
new file mode 100644
index 0000000000..ecd8d4c9c6
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services-update-overview.md b/windows/security/includes/sections/cloud-services-update-overview.md
new file mode 100644
index 0000000000..b20a97756d
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services-update-overview.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Update features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Update features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
new file mode 100644
index 0000000000..defd2bea71
--- /dev/null
+++ b/windows/security/includes/sections/cloud-services.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Protecting Your Work Information
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.
With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
+| **[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
+| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a
Microsoft hosted cloud subscription service that supports a zero-trust security model by
enabling network isolation of printers, including the Universal Print connector software, from
the rest of the organization's resources. |
+
+## Update
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.
The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
+| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
new file mode 100644
index 0000000000..f1f16ade3e
--- /dev/null
+++ b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
new file mode 100644
index 0000000000..b6c18f1b62
--- /dev/null
+++ b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
new file mode 100644
index 0000000000..7488c5606c
--- /dev/null
+++ b/windows/security/includes/sections/hardware.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Hardware Root-Of-Trust
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
+| **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.
Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
+| **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.
In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
+
+## Silicon Assisted Security (Secured Kernel)
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.
Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
+| **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
diff --git a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
new file mode 100644
index 0000000000..c8f646fb31
--- /dev/null
+++ b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
new file mode 100644
index 0000000000..c2666f968d
--- /dev/null
+++ b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
new file mode 100644
index 0000000000..b31aaf1ca9
--- /dev/null
+++ b/windows/security/includes/sections/identity.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Passwordless Sign In
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in.
Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.
For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
+| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
+
+## Advanced Credential Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
+| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-data-protection-overview.md b/windows/security/includes/sections/operating-system-data-protection-overview.md
new file mode 100644
index 0000000000..68b64731f3
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-data-protection-overview.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Data Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Data Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-modern-device-management-overview.md b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
new file mode 100644
index 0000000000..b43f14f6ef
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Modern Device Management features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Modern Device Management features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-network-security-overview.md b/windows/security/includes/sections/operating-system-network-security-overview.md
new file mode 100644
index 0000000000..95b71a85f8
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-network-security-overview.md
@@ -0,0 +1,36 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Network Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Network Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-system-security-overview.md b/windows/security/includes/sections/operating-system-system-security-overview.md
new file mode 100644
index 0000000000..426c265aca
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-system-security-overview.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all System Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all System Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
new file mode 100644
index 0000000000..4853fdc620
--- /dev/null
+++ b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
@@ -0,0 +1,34 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes|
diff --git a/windows/security/includes/sections/operating-system.md b/windows/security/includes/sections/operating-system.md
new file mode 100644
index 0000000000..9cc73a7b96
--- /dev/null
+++ b/windows/security/includes/sections/operating-system.md
@@ -0,0 +1,61 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## System Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
+| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+
+## Virus And Threat Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
+| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.
LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
+| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.
Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
+| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
+| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.
Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
+| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
+| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
+
+## Network Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
+| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
+| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
+| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
+| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
+| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
+| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.
SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
+
+## Data Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD. |
+| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+
+## Modern Device Management
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
diff --git a/windows/security/includes/sections/privacy.md b/windows/security/includes/sections/privacy.md
new file mode 100644
index 0000000000..cb5118754a
--- /dev/null
+++ b/windows/security/includes/sections/privacy.md
@@ -0,0 +1,6 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
diff --git a/windows/security/includes/sections/security-foundations-certification-overview.md b/windows/security/includes/sections/security-foundations-certification-overview.md
new file mode 100644
index 0000000000..78601c07dd
--- /dev/null
+++ b/windows/security/includes/sections/security-foundations-certification-overview.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Certification features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Certification features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
new file mode 100644
index 0000000000..8c3cd14c92
--- /dev/null
+++ b/windows/security/includes/sections/security-foundations.md
@@ -0,0 +1,13 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/06/2023
+ms.topic: include
+---
+
+## Certification
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 8cf4624659..b2bf33a31a 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -57,13 +57,13 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: operating-system.md
+ url: operating-system-security/index.md
- linkListType: concept
links:
- - text: System security
- url: trusted-boot.md
+ - text: Trusted boot
+ url: operating-system-security\system-security\trusted-boot.md
- text: Encryption and data protection
- url: encryption-data-protection.md
+ url: operating-system-security/data-protection/index.md
- text: Windows security baselines
url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide
@@ -136,7 +136,7 @@ landingContent:
- text: OneDrive
url: /onedrive/onedrive
- text: Family safety
- url: threat-protection/windows-defender-security-center/wdsc-family-options.md
+ url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
index f051acac9f..2389e3b4da 100644
--- a/windows/security/introduction/index.md
+++ b/windows/security/introduction/index.md
@@ -34,7 +34,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
### Robust application security and privacy controls
@@ -54,4 +54,4 @@ Microsoft offers comprehensive cloud services for identity, storage, and access
To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
-[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
\ No newline at end of file
+[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index 9ed2b2769e..423a4e624a 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,16 +1,8 @@
---
title: BCD settings and BitLocker
description: This article for IT professionals describes the BCD settings that are used by BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Boot Configuration Data settings and BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
similarity index 96%
rename from windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
index daa9cba013..cbaff88935 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -1,26 +1,14 @@
### YamlMime:FAQ
metadata:
- title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
+ title: BitLocker and Active Directory Domain Services (AD DS) FAQ
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
sections:
- name: Ignored
@@ -53,7 +41,7 @@ sections:
> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
-
+
- question: |
Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
answer: |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
index 3518062515..52cc2816b8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,26 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker basic deployment
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
## Using BitLocker to encrypt volumes
@@ -466,4 +452,4 @@ Disable-BitLocker -MountPoint E:,F:,G:
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
similarity index 95%
rename from windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
index df0af1d002..98b5a376c9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
@@ -1,26 +1,12 @@
---
-title: BitLocker Countermeasures
+title: BitLocker Countermeasures
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker Countermeasures
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
@@ -45,7 +31,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
@@ -62,7 +48,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid
### Pre-boot authentication
-Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
+Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
@@ -70,11 +56,11 @@ Pre-boot authentication is designed to prevent the encryption keys from being lo
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
-- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
+- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
-- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
@@ -86,11 +72,11 @@ Pre-boot authentication with a PIN can mitigate an attack vector for devices tha
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
-To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
+To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
### Protecting Thunderbolt and other DMA ports
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
+There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
@@ -112,7 +98,7 @@ For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mi
## Attack countermeasures
-This section covers countermeasures for specific types of attacks.
+This section covers countermeasures for specific types of attacks.
### Bootkits and rootkits
@@ -142,7 +128,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
### Tricking BitLocker to pass the key to a rogue operating system
An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
-
+
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
## Attacker countermeasures
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
similarity index 96%
rename from windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
index dbea4c718a..ccabad03a1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@@ -1,22 +1,11 @@
### YamlMime:FAQ
metadata:
- title: BitLocker deployment and administration FAQ (Windows 10)
+ title: BitLocker deployment and administration FAQ
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
sections:
- name: Ignored
questions:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
index 99d7101e23..3521e9e447 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -1,25 +1,12 @@
---
title: BitLocker deployment comparison
description: This article shows the BitLocker deployment comparison chart.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker deployment comparison
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article depicts the BitLocker deployment comparison chart.
## BitLocker deployment comparison chart
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index c0f495b8a6..4b8a48c1a0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -1,29 +1,16 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# Overview of BitLocker Device Encryption in Windows
+# Overview of BitLocker device encryption
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles.
+This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles.
When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
@@ -31,7 +18,6 @@ When users travel, their organization's confidential data goes with them. Wherev
The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
-
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
similarity index 75%
rename from windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 4f7256eadb..04759a9566 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -2,25 +2,13 @@
metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
- This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
+summary: This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.yml)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
index b14f859b9a..6045481279 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1,35 +1,21 @@
---
title: BitLocker Group Policy settings
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker group policy settings
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
> [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
@@ -233,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
@@ -452,7 +438,7 @@ When set to **Do not allow complexity**, no password complexity validation is do
> [!NOTE]
> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Validate smart card certificate usage rule compliance
@@ -1306,7 +1292,7 @@ The optional recovery key can be saved to a USB drive. Because recovery password
The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
## Power management group policy settings: Sleep and Hibernate
@@ -1338,5 +1324,5 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
similarity index 65%
rename from windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 9d743637c9..fd3c652f3a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -1,57 +1,32 @@
---
-title: BitLocker How to deploy on Windows Server 2012 and later
-description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
+title: BitLocker How to deploy on Windows Server
+description: This article for the IT professional explains how to deploy BitLocker and Windows Server
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# BitLocker: How to deploy on Windows Server 2012 and later
+# BitLocker: How to deploy on Windows Server
-**Applies to:**
-
-- Windows Server 2012
-- Windows Server 2012 R2
-- Windows Server 2016 and above
-
-This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
+This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
## Installing BitLocker
### To install BitLocker using server manager
-1. Open server manager by selecting the server manager icon or running servermanager.exe.
-
-2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-
-3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-
-4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-
-5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-
-6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
-
+1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
+1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
+1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
+1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
+1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
+1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
> [!NOTE]
> Server roles and features are installed by using the same wizard in Server Manager.
-
-7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**.
-
+1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
> [!NOTE]
> The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-
-8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
-
-9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-
-10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
+1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
### To install BitLocker using Windows PowerShell
@@ -64,7 +39,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
-By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
+By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
```powershell
Install-WindowsFeature BitLocker -WhatIf
@@ -72,7 +47,7 @@ Install-WindowsFeature BitLocker -WhatIf
The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
-To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
+To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
@@ -88,7 +63,7 @@ The result of this command displays the following list of all the administration
- AD DS Tools
- AD DS and AD LDS Tools
-The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
+The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
@@ -99,13 +74,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
### Using the dism module to install BitLocker
-The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
+The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
```powershell
Get-WindowsOptionalFeature -Online | ft
```
-From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
+From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
To install BitLocker using the `dism.exe` module, use the following command:
@@ -121,7 +96,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 442be0541b..921c5ebcfa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -1,26 +1,12 @@
---
title: BitLocker - How to enable Network Unlock
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: How to enable Network Unlock
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes how BitLocker Network Unlock works and how to configure it.
Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
@@ -462,6 +448,6 @@ Follow these steps to configure Network Unlock on these older systems.
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
index ad23cc6714..848e842daf 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
@@ -2,21 +2,10 @@
metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker Key Management FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
+summary: |
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
similarity index 93%
rename from windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
index 8f46db3e99..491df0d342 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -1,24 +1,17 @@
---
title: BitLocker management
description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker management
The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
-Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
+Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
-[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-management.md)]
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
## Managing domain-joined computers and moving to cloud
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
similarity index 87%
rename from windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
index 9683743787..5a67c2a310 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -2,22 +2,10 @@
metadata:
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.reviewer:
- ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
- **Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
similarity index 94%
rename from windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 3243fdb178..732e5e9c03 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -2,24 +2,13 @@
metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
+summary: |
sections:
- name: Ignored
@@ -39,7 +28,7 @@ sections:
- question: What are the BitLocker hardware and software requirements?
answer: |
- For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
+ For requirements, see [System requirements](index.md#system-requirements).
> [!NOTE]
> Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
similarity index 99%
rename from windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 39eb80e0aa..d5eb6c6c36 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,29 +1,15 @@
---
title: BitLocker recovery guide
description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rafals
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
---
# BitLocker recovery guide
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
@@ -990,4 +976,4 @@ End Function
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
similarity index 92%
rename from windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
index 8b53e2e639..90f7723f1e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
@@ -2,23 +2,10 @@
metadata:
title: BitLocker Security FAQ
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
-
-
sections:
- name: Ignored
questions:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
similarity index 82%
rename from windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
index c780b6ee5a..2b386d9937 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
@@ -2,20 +2,10 @@
metadata:
title: BitLocker To Go FAQ
description: "Learn more about BitLocker To Go"
- ms.prod: windows-client
- ms.technology: itpro-security
- ms.author: frankroj
- author: frankroj
- manager: aaroncz
- audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: BitLocker To Go FAQ
-summary: |
- **Applies to:**
- - Windows 10
-
+summary: |
sections:
- name: Ignored
@@ -28,7 +18,7 @@ sections:
- SD cards
- External hard disk drives
- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
-
+
Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
similarity index 93%
rename from windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
index 13441d1f58..fba3beff7f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
@@ -2,21 +2,10 @@
metadata:
title: BitLocker Upgrading FAQ
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
- ms.reviewer:
- ms.custom: bitlocker
title: BitLocker Upgrading FAQ
-summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
+summary: |
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index 9e538c4fef..393549ec10 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,29 +1,15 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker
description: This article for the IT professional describes how to use tools to manage BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional describes how to use tools to manage BitLocker.
BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
@@ -246,7 +232,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
## Related articles
-- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
similarity index 94%
rename from windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index e96cf15557..9698ad0735 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -1,19 +1,11 @@
---
title: BitLocker Use BitLocker Recovery Password Viewer
description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# BitLocker: Use BitLocker Recovery Password Viewer
@@ -66,7 +58,7 @@ By completing the procedures in this scenario, the recovery passwords for a comp
## Related articles
-- [BitLocker Overview](bitlocker-overview.md)
+- [BitLocker Overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
similarity index 97%
rename from windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
index 4d0267a25a..92834f11e6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@@ -2,19 +2,10 @@
metadata:
title: Using BitLocker with other programs FAQ
description: Learn how to integrate BitLocker with other software on a device.
- ms.prod: windows-client
- ms.technology: itpro-security
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
title: Using BitLocker with other programs FAQ
summary: |
- **Applies to:**
- - Windows 10 and later
- - Windows Server 2016 and later
-
sections:
- name: Ignored
diff --git a/windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-narrator.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-narrator.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-password-hint1.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/bl-password-hint2.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/kernel-dma-protection.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
diff --git a/windows/security/information-protection/bitlocker/images/manage-bde-status.png b/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/manage-bde-status.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
diff --git a/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example1.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example2.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example3.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example3.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example4.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example4.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
diff --git a/windows/security/information-protection/bitlocker/images/rp-example5.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/rp-example5.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/yes-icon.png
rename to windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
similarity index 96%
rename from windows/security/information-protection/bitlocker/bitlocker-overview.md
rename to windows/security/operating-system-security/data-protection/bitlocker/index.md
index 9f04e173a3..31b4e00f59 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -1,32 +1,17 @@
---
-title: BitLocker
+title: BitLocker overview
description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
-# BitLocker
-
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+# BitLocker overview
This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-## BitLocker overview
-
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
@@ -48,7 +33,7 @@ There are two additional tools in the Remote Server Administration Tools that ca
- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
-[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-enablement.md)]
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
## System requirements
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
similarity index 97%
rename from windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
rename to windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 415ebdab44..49e91e44d0 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -1,26 +1,12 @@
---
title: Prepare the organization for BitLocker Planning and policies
description: This article for the IT professional explains how can to plan for a BitLocker deployment.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Prepare an organization for BitLocker: Planning and policies
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This article for the IT professional explains how to plan BitLocker deployment.
When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems.
@@ -199,9 +185,7 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate
## Related articles
-- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
-- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-- [BitLocker](bitlocker-overview.md)
+- [BitLocker](index.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker basic deployment](bitlocker-basic-deployment.md)
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
similarity index 98%
rename from windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 14934b6ab3..fd2168f6bb 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,16 +1,8 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
-ms.reviewer:
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
---
# Protecting cluster shared volumes and storage area networks with BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
new file mode 100644
index 0000000000..1e5a30d744
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
@@ -0,0 +1,74 @@
+items:
+- name: Overview
+ href: index.md
+- name: BitLocker device encryption
+ href: bitlocker-device-encryption-overview-windows-10.md
+- name: BitLocker frequently asked questions (FAQ)
+ href: bitlocker-frequently-asked-questions.yml
+ items:
+ - name: Overview and requirements
+ href: bitlocker-overview-and-requirements-faq.yml
+ - name: Upgrading
+ href: bitlocker-upgrading-faq.yml
+ - name: Deployment and administration
+ href: bitlocker-deployment-and-administration-faq.yml
+ - name: Key management
+ href: bitlocker-key-management-faq.yml
+ - name: BitLocker To Go
+ href: bitlocker-to-go-faq.yml
+ - name: Active Directory Domain Services
+ href: bitlocker-and-adds-faq.yml
+ - name: Security
+ href: bitlocker-security-faq.yml
+ - name: BitLocker Network Unlock
+ href: bitlocker-network-unlock-faq.yml
+ - name: General
+ href: bitlocker-using-with-other-programs-faq.yml
+- name: "Prepare your organization for BitLocker: Planning and policies"
+ href: prepare-your-organization-for-bitlocker-planning-and-policies.md
+- name: BitLocker deployment comparison
+ href: bitlocker-deployment-comparison.md
+- name: BitLocker basic deployment
+ href: bitlocker-basic-deployment.md
+- name: Deploy BitLocker on Windows Server 2012 and later
+ href: bitlocker-how-to-deploy-on-windows-server.md
+- name: BitLocker management
+ href: bitlocker-management-for-enterprises.md
+- name: Enable Network Unlock with BitLocker
+ href: bitlocker-how-to-enable-network-unlock.md
+- name: Use BitLocker Drive Encryption Tools to manage BitLocker
+ href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+- name: Use BitLocker Recovery Password Viewer
+ href: bitlocker-use-bitlocker-recovery-password-viewer.md
+- name: BitLocker Group Policy settings
+ href: bitlocker-group-policy-settings.md
+- name: BCD settings and BitLocker
+ href: bcd-settings-and-bitlocker.md
+- name: BitLocker Recovery Guide
+ href: bitlocker-recovery-guide-plan.md
+- name: BitLocker Countermeasures
+ href: bitlocker-countermeasures.md
+- name: Protecting cluster shared volumes and storage area networks with BitLocker
+ href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+- name: Troubleshoot BitLocker
+ items:
+ - name: Troubleshoot BitLocker 🔗
+ href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
+ - name: "BitLocker cannot encrypt a drive: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
+ - name: "Enforcing BitLocker policies by using Intune: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
+ - name: "BitLocker Network Unlock: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
+ - name: "BitLocker recovery: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
+ - name: "BitLocker configuration: known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
+ - name: Troubleshoot BitLocker and TPM issues
+ items:
+ - name: "BitLocker cannot encrypt a drive: known TPM issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
+ - name: "BitLocker and TPM: other known issues 🔗"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
+ - name: Decode Measured Boot logs to track PCR changes 🔗
+ href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md
index 578fd09c36..4d5e976fde 100644
--- a/windows/security/operating-system-security/data-protection/configure-s-mime.md
+++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md
@@ -3,8 +3,6 @@ title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
ms.topic: how-to
ms.date: 05/31/2023
-author: paolomatarazzo
-ms.author: paoloma
---
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
similarity index 96%
rename from windows/security/information-protection/encrypted-hard-drive.md
rename to windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
index bb2fc98a8e..42e381d999 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
@@ -1,27 +1,12 @@
---
title: Encrypted Hard Drive
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
-ms.reviewer:
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
ms.date: 11/08/2022
-ms.technology: itpro-security
ms.topic: conceptual
---
# Encrypted Hard Drive
-*Applies to:*
-
-- Windows 10
-- Windows 11
-- Windows Server 2022
-- Windows Server 2019
-- Windows Server 2016
-- Azure Stack HCI
-
Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
@@ -48,7 +33,7 @@ Encrypted hard drives are supported natively in the operating system through the
If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
-[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
+[!INCLUDE [encrypted-hard-drive](../../../../includes/licensing/encrypted-hard-drive.md)]
## System Requirements
diff --git a/windows/security/encryption-data-protection.md b/windows/security/operating-system-security/data-protection/index.md
similarity index 85%
rename from windows/security/encryption-data-protection.md
rename to windows/security/operating-system-security/data-protection/index.md
index 781c1f164d..b180e2ff7a 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/operating-system-security/data-protection/index.md
@@ -1,13 +1,8 @@
---
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
ms.topic: overview
ms.date: 09/22/2022
-ms.prod: windows-client
-ms.technology: itpro-security
ms.reviewer: rafals
---
@@ -45,10 +40,10 @@ Windows consistently improves data protection by improving existing options and
(*Applies to: Windows 11, version 22H2 and later*)
-[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
+[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)]
## See also
-- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
-- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
-- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
+- [Encrypted Hard Drive](encrypted-hard-drive.md)
+- [BitLocker](bitlocker/index.md)
+- [Personal Data Encryption (PDE)](personal-data-encryption/index.md)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
similarity index 55%
rename from windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
index 3aa684f0c2..fe2fb5b3e9 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -1,14 +1,7 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -21,21 +14,17 @@ The various required and recommended policies needed for Personal Data Encryptio
## Required prerequisites
-1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md)
-
-1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md)
+1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
## Security hardening recommendations
-1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md)
-
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md)
-
-1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md)
-
-1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md)
+1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+1. [Disable hibernation](intune-disable-hibernation.md)
+1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## See also
-- [Personal Data Encryption (PDE)](overview-pde.md)
+- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
similarity index 91%
rename from windows/security/information-protection/personal-data-encryption/faq-pde.yml
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
index 01ba4b7b8e..0429e74204 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
@@ -3,19 +3,9 @@
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
- author: frankroj
- ms.author: frankroj
- ms.reviewer: rhonnegowda
- manager: aaroncz
ms.topic: faq
- ms.prod: windows-client
- ms.technology: itpro-security
- ms.localizationpriority: medium
ms.date: 03/13/2023
-# Max 5963468 OS 32516487
-# Max 6946251
-
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
Here are some answers to common questions regarding Personal Data Encryption (PDE)
@@ -65,7 +55,7 @@ sections:
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
@@ -77,6 +67,6 @@ sections:
additionalContent: |
## See also
- - [Personal Data Encryption (PDE)](overview-pde.md)
+ - [Personal Data Encryption (PDE)](index.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
similarity index 70%
rename from windows/security/information-protection/personal-data-encryption/includes/pde-description.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
index 1d6d83ff6c..b34908147d 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
@@ -1,22 +1,14 @@
---
-title: Personal Data Encryption (PDE) description
-description: Personal Data Encryption (PDE) description include file
-
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: include
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
+
+PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
similarity index 90%
rename from windows/security/information-protection/personal-data-encryption/overview-pde.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index c7efa3d342..6538f524ec 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -1,44 +1,30 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
-
-
-
# Personal Data Encryption (PDE)
-**Applies to:**
-
-- Windows 11, version 22H2 and later Enterprise and Education editions
-
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
-[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
+[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## Prerequisites
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md).
-- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
+- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@@ -46,15 +32,15 @@ ms.date: 03/13/2023
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
- Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md).
+ Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
- Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md).
+ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md).
+ Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
@@ -76,11 +62,11 @@ ms.date: 03/13/2023
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
- For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md).
+ For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
### Highly recommended
-- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
+- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
@@ -88,7 +74,7 @@ ms.date: 03/13/2023
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
@@ -137,7 +123,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md).
+For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
## Differences between PDE and BitLocker
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
similarity index 65%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
index 9781fb82d7..9fda445c43 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
@@ -1,15 +1,8 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.date: 03/13/2023
+ms.date: 06/01/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
@@ -20,81 +13,51 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal
To disable ARSO using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Templates**.
-
- 1. When the templates appear, under **Template name**, select **Administrative templates**.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Templates**
+ 1. When the templates appear, under **Template name**, select **Administrative templates**
1. Select **Create** to close the **Create profile** window.
-
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable ARSO**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Disable ARSO**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. On the left pane of the page, make sure **Computer Configuration** is selected.
-
- 1. Under **Setting name**, scroll down and select **Windows Components**.
-
- 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option.
-
- 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**.
-
- 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**.
-
- 1. Select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. On the left pane of the page, make sure **Computer Configuration** is selected
+ 1. Under **Setting name**, scroll down and select **Windows Components**
+ 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
+ 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
+ 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+ 1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
similarity index 60%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
index 19a5b9498e..ef18936b1b 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
@@ -1,14 +1,7 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -20,79 +13,50 @@ Hibernation files can potentially cause the keys used by Personal Data Encryptio
To disable hibernation using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable Hibernation**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. select **Add settings**.
-
+ 1. select **Add settings**
1. In the **Settings picker** window that opens:
-
- 1. Under **Browse by category**, scroll down and select **Power**.
-
- 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option.
-
- 1. Select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. Under **Browse by category**, scroll down and select **Power**
+ 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
+ 1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
similarity index 67%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
index b9ab18802e..66a238e3c9 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
@@ -1,14 +1,7 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -20,77 +13,49 @@ Kernel-mode crash dumps and live dumps can potentially cause the keys used by Pe
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**.
-
+ 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. Select **Add settings**.
-
+ 1. Select **Add settings**
1. In the **Settings picker** window that opens:
-
- 1. Under **Browse by category**, scroll down and select **Memory Dump**.
-
- 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. Under **Browse by category**, scroll down and select **Memory Dump**
+ 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
similarity index 68%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
index d61d11a19c..4cf442e308 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
@@ -1,14 +1,7 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -17,18 +10,12 @@ ms.date: 03/13/2023
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
-
- - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
- - A password is required immediately after the screen turns off.
-
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
+ - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
+ - A password is required immediately after the screen turns off
+ The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
- Workgroup devices, including Azure AD joined devices:
-
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
+ - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
+ - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
@@ -36,83 +23,54 @@ Because of this undesired outcome, it's recommended to explicitly disable this p
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**.
-
- 1. Next to **Description**, enter a description.
-
+ 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
+ 1. Next to **Description**, enter a description
1. Select **Next**.
1. In the **Configuration settings** page:
-
- 1. Select **Add settings**.
-
+ 1. Select **Add settings**
1. In the **Settings picker** window that opens:
+ 1. Under **Browse by category**, expand **Administrative Templates**
+ 1. Under **Administrative Templates**, scroll down and expand **System**
+ 1. Under **System**, scroll down and select **Logon**
+ 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
+ 1. select **Next**
- 1. Under **Browse by category**, expand **Administrative Templates**.
-
- 1. Under **Administrative Templates**, scroll down and expand **System**.
-
- 1. Under **System**, scroll down and select **Logon**.
-
- 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**.
-
- 1. select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
similarity index 64%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
index f4a795887a..39fe957317 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
@@ -1,14 +1,7 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -20,83 +13,52 @@ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode cras
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Settings catalog**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Settings catalog**
+ 1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In the **Configuration settings** page:
-
- 1. Select **Add settings**.
-
+ 1. Select **Add settings**
1. In the **Settings picker** window that opens:
-
- 1. Under **Browse by category**, expand **Administrative Templates**.
-
- 1. Under **Administrative Templates**, scroll down and expand **Windows Components**.
-
- 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it.
-
- 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
-
- 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option.
-
- 1. Select **Next**.
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**.
-
+ 1. Under **Browse by category**, expand **Administrative Templates**
+ 1. Under **Administrative Templates**, scroll down and expand **Windows Components**
+ 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
+ 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+ 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
+ 1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
similarity index 62%
rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
index ac064684ca..795504237c 100644
--- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
@@ -1,14 +1,7 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rhonnegowda
-manager: aaroncz
ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
ms.date: 03/13/2023
---
@@ -24,89 +17,54 @@ By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. In the **Home** screen, select **Devices** in the left pane.
-
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
-
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
-
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
-
- 1. Under **Platform**, select **Windows 10 and later**.
-
- 1. Under **Profile type**, select **Templates**.
-
- 1. When the templates appears, under **Template name**, select **Custom**.
-
- 1. Select **Create** to close the **Create profile** window.
-
+ 1. Under **Platform**, select **Windows 10 and later**
+ 1. Under **Profile type**, select **Templates**
+ 1. When the templates appears, under **Template name**, select **Custom**
+ 1. Select **Create** to close the **Create profile** window
1. The **Custom** screen will open. In the **Basics** page:
-
- 1. Next to **Name**, enter **Personal Data Encryption**.
-
- 1. Next to **Description**, enter a description.
-
- 1. Select **Next**.
-
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 1. Next to **Description**, enter a description
+ 1. Select **Next**
1. In **Configuration settings** page:
-
- 1. Next to **OMA-URI Settings**, select **Add**.
-
+ 1. Next to **OMA-URI Settings**, select **Add**
1. In the **Add Row** window that opens:
-
- 1. Next to **Name**, enter **Personal Data Encryption**.
-
- 1. Next to **Description**, enter a description.
-
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 1. Next to **Description**, enter a description
1. Next to **OMA-URI**, enter in:
-
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-
- 1. Next to **Data type**, select **Integer**.
-
- 1. Next to **Value**, enter in **1**.
-
- 1. Select **Save** to close the **Add Row** window.
-
- 1. Select **Next**.
-
+ 1. Next to **Data type**, select **Integer**
+ 1. Next to **Value**, enter in **1**
+ 1. Select **Save** to close the **Add Row** window
+ 1. Select **Next**
1. In the **Assignments** page:
-
- 1. Under **Included groups**, select **Add groups**.
-
+ 1. Under **Included groups**, select **Add groups**
> [!NOTE]
- >
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
-
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
-
-1. In **Applicability Rules**, configure if necessary and then select **Next**.
-
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
+ 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+ 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Applicability Rules**, configure if necessary and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
-### Required prerequisites
+### Prerequisites
-- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
+- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
-- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
-
-- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
-
-- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
+- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+- [Disable hibernation](intune-disable-hibernation.md)
+- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
-- [Personal Data Encryption (PDE)](../overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
-
+- [Personal Data Encryption (PDE)](index.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
new file mode 100644
index 0000000000..0bb7c66820
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -0,0 +1,19 @@
+items:
+- name: Overview
+ href: index.md
+- name: Configure PDE with Intune
+ href: configure-pde-in-intune.md
+- name: Enable Personal Data Encryption (PDE)
+ href: intune-enable-pde.md
+- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
+ href: intune-disable-arso.md
+- name: Disable kernel-mode crash dumps and live dumps for PDE
+ href: intune-disable-memory-dumps.md
+- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+ href: intune-disable-wer.md
+- name: Disable hibernation for PDE
+ href: intune-disable-hibernation.md
+- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
+ href: intune-disable-password-connected-standby.md
+- name: PDE frequently asked questions (FAQ)
+ href: faq-pde.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
index c85fb02887..18c78e5665 100644
--- a/windows/security/operating-system-security/data-protection/toc.yml
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -1,104 +1,12 @@
items:
- name: Overview
- href: ../../encryption-data-protection.md
+ href: index.md
- name: BitLocker
- href: ../../information-protection/bitlocker/bitlocker-overview.md
- items:
- - name: Overview of BitLocker Device Encryption in Windows
- href: ../../information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- - name: BitLocker frequently asked questions (FAQ)
- href: ../../information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
- items:
- - name: Overview and requirements
- href: ../../information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
- - name: Upgrading
- href: ../../information-protection/bitlocker/bitlocker-upgrading-faq.yml
- - name: Deployment and administration
- href: ../../information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
- - name: Key management
- href: ../../information-protection/bitlocker/bitlocker-key-management-faq.yml
- - name: BitLocker To Go
- href: ../../information-protection/bitlocker/bitlocker-to-go-faq.yml
- - name: Active Directory Domain Services
- href: ../../information-protection/bitlocker/bitlocker-and-adds-faq.yml
- - name: Security
- href: ../../information-protection/bitlocker/bitlocker-security-faq.yml
- - name: BitLocker Network Unlock
- href: ../../information-protection/bitlocker/bitlocker-network-unlock-faq.yml
- - name: General
- href: ../../information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
- - name: "Prepare your organization for BitLocker: Planning and policies"
- href: ../../information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
- - name: BitLocker deployment comparison
- href: ../../information-protection/bitlocker/bitlocker-deployment-comparison.md
- - name: BitLocker basic deployment
- href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md
- - name: Deploy BitLocker on Windows Server 2012 and later
- href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
- - name: BitLocker management
- href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md
- - name: Enable Network Unlock with BitLocker
- href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
- - name: Use BitLocker Drive Encryption Tools to manage BitLocker
- href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
- - name: Use BitLocker Recovery Password Viewer
- href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
- - name: BitLocker Group Policy settings
- href: ../../information-protection/bitlocker/bitlocker-group-policy-settings.md
- - name: BCD settings and BitLocker
- href: ../../information-protection/bitlocker/bcd-settings-and-bitlocker.md
- - name: BitLocker Recovery Guide
- href: ../../information-protection/bitlocker/bitlocker-recovery-guide-plan.md
- - name: BitLocker Countermeasures
- href: ../../information-protection/bitlocker/bitlocker-countermeasures.md
- - name: Protecting cluster shared volumes and storage area networks with BitLocker
- href: ../../information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- - name: Troubleshoot BitLocker
- items:
- - name: Troubleshoot BitLocker
- href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- - name: "BitLocker cannot encrypt a drive: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- - name: "Enforcing BitLocker policies by using Intune: known issues"
- href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- - name: "BitLocker Network Unlock: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- - name: "BitLocker recovery: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- - name: "BitLocker configuration: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- - name: Troubleshoot BitLocker and TPM issues
- items:
- - name: "BitLocker cannot encrypt a drive: known TPM issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- - name: "BitLocker and TPM: other known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- - name: Decode Measured Boot logs to track PCR changes
- href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
+ href: bitlocker/toc.yml
- name: Encrypted Hard Drive
- href: ../../information-protection/encrypted-hard-drive.md
+ href: encrypted-hard-drive.md
- name: Personal Data Encryption (PDE)
- items:
- - name: Personal Data Encryption (PDE) overview
- href: ../../information-protection/personal-data-encryption/overview-pde.md
- - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
- href: ../../information-protection/personal-data-encryption/faq-pde.yml
- - name: Configure Personal Data Encryption (PDE) in Intune
- items:
- - name: Configure Personal Data Encryption (PDE) in Intune
- href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md
- - name: Enable Personal Data Encryption (PDE)
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
- - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
- - name: Disable kernel-mode crash dumps and live dumps for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
- - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
- - name: Disable hibernation for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
- - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
- href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
+ href: personal-data-encryption/toc.yml
- name: Configure S/MIME for Windows
href: configure-s-mime.md
- name: Windows Information Protection (WIP)
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
new file mode 100644
index 0000000000..7787d87aa3
--- /dev/null
+++ b/windows/security/operating-system-security/index.md
@@ -0,0 +1,16 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.date: 09/21/2021
+ms.topic: article
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
+
+Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
+
+[!INCLUDE [operating-system-security](../includes/sections/operating-system.md)]
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 3dca76e27e..85ac1b4e02 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -7,7 +7,7 @@ ms.topic: conceptual
# VPN and conditional access
-The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
>[!NOTE]
>Conditional Access is an Azure AD Premium feature.
@@ -16,8 +16,8 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
-- [Windows Health Attestation Service](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
-- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
+- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
@@ -79,19 +79,20 @@ When a VPNv2 Profile is configured with \
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.
Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
-Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.
Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).
|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
-| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.
Learn more about [Encryption](encryption-data-protection.md).
-| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).|
-| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).|
-| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.
Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
-| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.
Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).
|
-| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.
Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).
-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).
Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.
Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
-| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.
Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
-| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.
In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.
Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
-| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.
Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
-| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
-| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.
Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
-
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index eb76f1d581..14cccd81d4 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -83,7 +83,7 @@ This subcategory allows you to audit events generated by changes to security gro
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
-- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
diff --git a/windows/security/threat-protection/images/community.png b/windows/security/threat-protection/images/community.png
deleted file mode 100644
index 8d99720c6e..0000000000
Binary files a/windows/security/threat-protection/images/community.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 8d0ace0072..6dcfe5687d 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -1,93 +1,81 @@
---
-title: Configure security policy settings
+title: Configure security policy settings
description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
-ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320
-ms.reviewer:
ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
-ms.collection:
- - highpri
- - tier3
+ms.collection:
+- highpri
+- tier3
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: itpro-security
+ms.date: 06/07/2023
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
+
# Configure security policy settings
-**Applies to**
-- Windows 11
-- Windows 10
-
-Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
-
-You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
+This article describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
When a local setting is inaccessible, it indicates that a GPO currently controls that setting.
-## To configure a setting using the Local Security Policy console
+## To configure a setting using the Local Security Policy console
-1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
-2. Under **Security Settings** of the console tree, do one of the following:
+1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
+1. Under **Security Settings** of the console tree, do one of the following:
+ - Select **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+ - Select **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+1. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
+1. Modify the security policy setting, and then select **OK**.
- - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
- - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+> [!NOTE]
+>
+> - Some security policy settings require that the device be restarted before the setting takes effect.
+> - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
-3. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
-4. Modify the security policy setting, and then click **OK**.
-
- > [!NOTE]
- > - Some security policy settings require that the device be restarted before the setting takes effect.
- > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
-
-## To configure a security policy setting using the Local Group Policy Editor console
+## To configure a security policy setting using the Local Group Policy Editor console
You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
-1. Open the Local Group Policy Editor (gpedit.msc).
-2. In the console tree, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
-3. Do one of the following:
+1. Open the Local Group Policy Editor (gpedit.msc).
+1. In the console tree, click **Computer Configuration**, select **Windows Settings**, and then select **Security Settings**.
+1. Do one of the following:
+ - Select **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+ - Select **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+1. In the details pane, double-click the security policy setting that you want to modify.
- - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
- - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+ > [!NOTE]
+ > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-4. In the details pane, double-click the security policy setting that you want to modify.
-
- > [!NOTE]
- > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-
-5. Modify the security policy setting, and then click **OK**.
+1. Modify the security policy setting, and then select **OK**.
> [!NOTE]
> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
-
-## To configure a setting for a domain controller
+
+## To configure a setting for a domain controller
The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).
-1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
-2. Do one of the following:
+1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
+1. Do one of the following:
- - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
- - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+ - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
+ - Select **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
-3. In the details pane, double-click the security policy that you want to modify.
+1. In the details pane, double-click the security policy that you want to modify.
- > [!NOTE]
- > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-
-4. Modify the security policy setting, and then click **OK**.
+ > [!NOTE]
+ > If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
+1. Modify the security policy setting, and then select **OK**.
> [!IMPORTANT]
-> - Always test a newly created policy in a test organizational unit before you apply it to your network.
-> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
-
-## Related topics
+>
+> - Always test a newly created policy in a test organizational unit before you apply it to your network.
+> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+
+## Related articles
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index f0c1ef0a6c..dbc99216c2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
+NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
### Vulnerability
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index a8b2882f5b..5829e660c8 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -1,30 +1,22 @@
---
-title: Password must meet complexity requirements
+title: Password must meet complexity requirements
description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
-ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe
-ms.reviewer:
ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
-ms.collection:
- - highpri
- - tier3
+ms.collection:
+ - highpri
+ - tier3
ms.topic: conceptual
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 06/07/2023
---
# Password must meet complexity requirements
**Applies to**
-- Windows 11
-- Windows 10
+- Windows 11
+- Windows 10
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
@@ -32,41 +24,39 @@ Describes the best practices, location, values, and security considerations for
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
-1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
+1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
- The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
- The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
+ The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
-2. The password contains characters from three of the following categories:
+2. The password contains characters from three of the following categories:
- - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- - Base 10 digits (0 through 9)
- - Non-alphanumeric characters (special characters):
- (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)
- Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
- - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
+ - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
+ - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
+ - Base 10 digits (0 through 9)
+ - Non-alphanumeric characters (special characters): ``(~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)``
+ Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
+ - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
Complexity requirements are enforced when passwords are changed or created.
-The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they can't be directly modified.
+The rules that are included in the Windows Server password complexity requirements are part of `Passfilt.dll`, and they can't be directly modified.
When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it.
-Other settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
+Other settings that can be included in a custom `Passfilt.dll` are the use of non-upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
### Possible values
-- Enabled
-- Disabled
-- Not defined
+- Enabled
+- Disabled
+- Not defined
### Best practices
> [!TIP]
> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
-Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
+Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that don't add more complexity to the password.)
@@ -74,21 +64,21 @@ Short passwords that contain only alphanumeric characters are easy to compromise
### Location
-**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+`Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy`
### Default values
The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
-| Server type or Group Policy Object (GPO) | Default value |
-|---|---|
-| Default domain policy | Enabled |
-| Default domain controller policy | Enabled |
-| Stand-alone server default settings | Disabled |
-| Domain controller effective default settings | Enabled |
-| Member server effective default settings | Enabled|
-| Effective GPO default settings on client computers | Disabled |
-
+| Server type or Group Policy Object (GPO) | Default value |
+|----------------------------------------------------|---------------|
+| Default domain policy | Enabled |
+| Default domain controller policy | Enabled |
+| Stand-alone server default settings | Disabled |
+| Domain controller effective default settings | Enabled |
+| Member server effective default settings | Enabled |
+| Effective GPO default settings on client computers | Disabled |
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -107,9 +97,9 @@ When combined with a [Minimum password length](minimum-password-length.md) of 8,
If the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could occur because users might not be used to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to follow the complexity requirement with minimal difficulty.
-If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
+If your organization has more stringent security requirements, you can create a custom version of the `Passfilt.dll` file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
-The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
+The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128-0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
## Related articles
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 0400b53abf..0af1870a2a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -1,17 +1,12 @@
---
-title: Add rules for packaged apps to existing AppLocker rule-set
+title: Add rules for packaged apps to existing AppLocker rule-set
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
-ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Add rules for packaged apps to existing AppLocker rule-set
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,6 +21,4 @@ This topic for IT professionals describes how to update your existing AppLocker
You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
-RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
-
-
+RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index 3746acc1c8..6e41e6c5e2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -1,17 +1,12 @@
---
-title: Administer AppLocker
+title: Administer AppLocker
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
-ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 02/28/2019
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Administer AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -62,7 +51,7 @@ You can administer AppLocker policies by using the Group Policy Management Conso
### Administer AppLocker using Group Policy
-You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
+You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
1. Open the Group Policy Management Console (GPMC).
2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
@@ -76,4 +65,4 @@ You must have Edit Setting permission to edit a GPO. By default, members of the
## Using Windows PowerShell to administer AppLocker
-For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](/powershell/module/applocker/).
\ No newline at end of file
+For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](/powershell/module/applocker/).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index fee5823096..37127bd09f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -1,17 +1,12 @@
---
-title: AppLocker architecture and components
+title: AppLocker architecture and components
description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
-ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,16 +14,10 @@ ms.technology: itpro-security
# AppLocker architecture and components
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic for IT professional describes AppLocker’s basic architecture and its major components.
+This topic for IT professional describes AppLocker's basic architecture and its major components.
AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
@@ -49,5 +38,3 @@ Before a script file is run, the script host (for example, for .ps1 files, the s
## Related topics
- [AppLocker technical reference](applocker-technical-reference.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
index dccdeafe16..52acbce003 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
@@ -1,17 +1,12 @@
---
-title: AppLocker functions
+title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
-ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker functions
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This article for the IT professional lists the functions and security levels for
## Functions
-Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2:
+Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2:
- [SaferGetPolicyInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetpolicyinformation)
- [SaferCreateLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercreatelevel)
@@ -61,4 +50,3 @@ AppLocker and SRP use the security level IDs to specify the access requirements
## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 238a5d1884..c13e82db76 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -1,93 +1,63 @@
---
-title: AppLocker
-description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
-ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
-ms.reviewer:
+title: AppLocker
+description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
-ms.collection:
- - highpri
- - tier3
+ms.collection:
+- highpri
+- tier3
ms.topic: conceptual
-ms.date: 10/16/2017
-ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 06/07/2023
---
# AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
> [!NOTE]
> AppLocker is unable to control processes running under the system account on any operating system.
AppLocker can help you:
-- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
-- Assign a rule to a security group or an individual user.
-- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
-- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
-- Simplify creating and managing AppLocker rules by using Windows PowerShell.
+- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
+- Assign a rule to a security group or an individual user.
+- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
+- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
+- Simplify creating and managing AppLocker rules by using Windows PowerShell.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
-- **Application inventory**
-
- AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
-
-- **Protection against unwanted software**
-
- AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
-
-- **Licensing conformance**
-
- AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
-
-- **Software standardization**
-
- AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
-
-- **Manageability improvement**
-
- AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
-
+- **Application inventory**: AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+- **Protection against unwanted software**: AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
+- **Licensing conformance**: AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
+- **Software standardization**: AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
+- **Manageability improvement**: AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
## When to use AppLocker
-In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
+In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
-However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.
-Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
The following are examples of scenarios in which AppLocker can be used:
-- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
-- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
-- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
-- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
-- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
-- Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
-- A single user or small group of users needs to use a specific app that is denied for all others.
-- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
-- In addition to other measures, you need to control the access to sensitive data through app usage.
+- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
+- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
+- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
+- Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
+- A single user or small group of users needs to use a specific app that is denied for all others.
+- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
@@ -99,8 +69,8 @@ AppLocker can help you protect the digital assets within your organization, redu
AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
> [!NOTE]
-> The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
-
+> GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
+
### Using AppLocker on Server Core
AppLocker on Server Core installations isn't supported.
@@ -111,42 +81,38 @@ You can administer AppLocker policies by using a virtualized instance of Windows
### Security considerations
-Application control policies specify which apps are allowed to run on the local computer.
-
-The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
+Application control policies specify which apps are allowed to run on the local computer. The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it's important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
-For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
+For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). When you use AppLocker to create application control policies, you should be aware of the following security considerations:
-When you use AppLocker to create application control policies, you should be aware of the following security considerations:
-
-- Who has the rights to set AppLocker policies?
-- How do you validate that the policies are enforced?
-- What events should you audit?
+- Who has the rights to set AppLocker policies?
+- How do you validate that the policies are enforced?
+- What events should you audit?
For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
-| Setting | Default value |
-| - | - |
-| Accounts created | None |
-| Authentication method | Not applicable |
-| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
-| Ports opened | None |
+| Setting | Default value |
+|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| Accounts created | None |
+| Authentication method | Not applicable |
+| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
+| Ports opened | None |
| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
-| Protocols used | Not applicable |
-| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
-| Security Policies | None required. AppLocker creates security policies. |
-| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
-| Storage of credentials | None |
-
+| Protocols used | Not applicable |
+| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
+| Security Policies | None required. AppLocker creates security policies. |
+| System Services required | Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
+| Storage of credentials | None |
+
## In this section
-| Topic | Description |
-| - | - |
-| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
-| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
-| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
-| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
+| Article | Description |
+|----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Administer AppLocker](administer-applocker.md) | This article for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
+| [AppLocker design guide](applocker-policies-design-guide.md) | This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
+| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
+| [AppLocker technical reference](applocker-technical-reference.md) | This overview article for IT professionals provides links to the articles in the technical reference. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index a651d67814..2c37794578 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -1,31 +1,19 @@
---
-title: AppLocker deployment guide
+title: AppLocker deployment guide
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
-ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
---
-
# AppLocker deployment guide
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -63,4 +51,3 @@ This guide provides steps based on your design and planning investigation for de
| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index 6aff5add05..0953e691f1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -1,17 +1,12 @@
---
-title: AppLocker design guide
+title: AppLocker design guide
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
-ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker design guide
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,6 +35,5 @@ To understand if AppLocker is the correct application control solution for your
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you're planning to deploy AppLocker rules. |
| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
-
+
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 46d2994927..e4b467ac07 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -1,17 +1,12 @@
---
-title: AppLocker policy use scenarios
+title: AppLocker policy use scenarios
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
-ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker policy use scenarios
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -71,5 +60,3 @@ The following are examples of scenarios in which AppLocker can be used:
## Related topics
- [AppLocker technical reference](applocker-technical-reference.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index 82be229c35..f9b3d75543 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -1,17 +1,12 @@
---
-title: AppLocker processes and interactions
+title: AppLocker processes and interactions
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
-ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker processes and interactions
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
index 4d62e1248b..2371faff67 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
@@ -1,17 +1,12 @@
---
-title: AppLocker settings
+title: AppLocker settings
description: This topic for the IT professional lists the settings used by AppLocker.
-ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker settings
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
index 24739dbfcd..a4e2b5c421 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -1,17 +1,12 @@
---
-title: AppLocker technical reference
+title: AppLocker technical reference
description: This overview topic for IT professionals provides links to the topics in the technical reference.
-ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# AppLocker technical reference
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -39,9 +28,9 @@ AppLocker advances the application control features and functionality of Softwar
| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
-| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker’s basic architecture and its major components. |
+| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker's basic architecture and its major components. |
| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. |
| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. |
| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. |
-| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |
+| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index db47a41ae0..762f500737 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -1,17 +1,12 @@
---
-title: Configure an AppLocker policy for audit only
+title: Configure an AppLocker policy for audit only
description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
-ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 06/08/2018
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Configure an AppLocker policy for audit only
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -33,7 +22,7 @@ This topic for IT professionals describes how to set AppLocker policies to **Aud
After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
-
+
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
**To audit rule collections**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 0eaf785afa..5677e08745 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -1,17 +1,12 @@
---
-title: Configure an AppLocker policy for enforce rules
+title: Configure an AppLocker policy for enforce rules
description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
-ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,18 +14,12 @@ ms.technology: itpro-security
# Configure an AppLocker policy for enforce rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
->**Note:** When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
+>**Note:** When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index 2f81ecf9ea..d7fb5a0851 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -1,17 +1,12 @@
---
-title: Add exceptions for an AppLocker rule
+title: Add exceptions for an AppLocker rule
description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
-ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Add exceptions for an AppLocker rule
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -45,5 +34,3 @@ You can perform this task by using the Group Policy Management Console for an Ap
- For a path exception, choose the file or folder path to exclude, and then click **OK**.
- For a file hash exception, edit the file hash rule, and click **Remove**.
- For a packaged apps exception, click **Add** to create the exceptions based on reference app and rule scope.
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index a9229d7b60..ad878e7040 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -1,17 +1,12 @@
---
-title: Configure the AppLocker reference device
+title: Configure the AppLocker reference device
description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
-ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Configure the AppLocker reference device
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -39,13 +28,13 @@ An AppLocker reference device that is used for the development and deployment of
The reference device doesn't need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
->**Warning:** Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
+>**Warning:** Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
**To configure a reference device**
1. If the operating system isn't already installed, install one of the supported editions of Windows on the device.
- >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
+ >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
2. Configure the administrator account.
@@ -59,5 +48,3 @@ The reference device doesn't need to be joined to a domain, but it must be able
- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md).
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index 7b55776a9f..b9261a395b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -1,17 +1,12 @@
---
-title: Configure the Application Identity service
+title: Configure the Application Identity service
description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
-ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561
ms.reviewer:
ms.author: vinpa
-ms.pagetype: security
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 07/01/2021
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Configure the Application Identity service
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals shows how to configure the Application Identity
The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.
->**Important:** When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
+>**Important:** When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
**To start the Application Identity service automatically using Group Policy**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index bda3579c22..357689283c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -1,17 +1,12 @@
---
-title: Create a rule for packaged apps
+title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
-ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule for packaged apps
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -63,7 +52,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
|Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
|Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
|Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
- |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
+ |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding "Microsoft.Bing*" as the Package name. |
6. Select **Next**.
7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index f03d446082..592e0d0250 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -1,17 +1,12 @@
---
-title: Create a rule that uses a file hash condition
+title: Create a rule that uses a file hash condition
description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
-ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule that uses a file hash condition
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,7 +35,7 @@ AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins
5. On the **Conditions** page, select the **File hash** rule condition, and then click **Next**.
6. **Browse Files** to locate the targeted application file.
- >**Note:** You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
-
+ >**Note:** You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
+
7. Click **Next**.
8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index c79af9cb24..019d399434 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -1,17 +1,12 @@
---
-title: Create a rule that uses a path condition
+title: Create a rule that uses a path condition
description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
-ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule that uses a path condition
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals shows how to create an AppLocker rule with a pat
The path condition identifies an app by its location in the file system of the computer or on the network.
->**Important:** When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
+>**Important:** When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
@@ -47,7 +36,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
5. On the **Conditions** page, select the **Path** rule condition, and then click **Next**.
6. Click **Browse Files** to locate the targeted folder for the app.
- >**Note:** When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+ >**Note:** When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
7. Click **Next**.
8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 66440056c3..b7973d180c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -1,17 +1,12 @@
---
-title: Create a rule that uses a publisher condition
+title: Create a rule that uses a publisher condition
description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
-ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a rule that uses a publisher condition
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
index d9ad04fc74..a9b4962478 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -1,17 +1,12 @@
---
-title: Create AppLocker default rules
+title: Create AppLocker default rules
description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
-ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create AppLocker default rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 014f1edcd3..1811f0ba24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -1,17 +1,12 @@
---
-title: Create a list of apps deployed to each business group
+title: Create a list of apps deployed to each business group
description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
-ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create a list of apps deployed to each business group
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -81,5 +70,3 @@ For guidance, see the following topics:
- [Select the types of rules to create](select-types-of-rules-to-create.md)
- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index d632badeea..5de5930086 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Create Your AppLocker policies
+title: Create Your AppLocker policies
description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
-ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create Your AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -44,7 +33,6 @@ You can develop an application control policy plan to guide you in making succes
6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-
## Step 2: Create your rules and rule collections
Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md).
@@ -64,7 +52,7 @@ In a test environment or with the enforcement setting set at **Audit only**, ver
## Step 6: Implement the policy
-Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**.
+Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value-**Enforce rules** or **Audit only**.
## Step 7: Test the effect of the policy and adjust
Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. For information on how to do these tasks, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
@@ -80,4 +68,3 @@ Follow the steps described in the following topics to continue the deployment pr
## See also
- [AppLocker deployment guide](applocker-policies-deployment-guide.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
index 7f416d3255..5e05fb2c6e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -1,17 +1,12 @@
---
-title: Create Your AppLocker rules
+title: Create Your AppLocker rules
description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
-ms.assetid: b684a3a5-929c-4f70-8742-04088022f232
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Create Your AppLocker rules
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -48,7 +37,7 @@ You can use a reference device to automatically create a set of default rules fo
You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you're targeting a few applications within a business group.
->**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
+>**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
For information about performing this task, see:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index 88f67e4728..e639e46f0b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -1,17 +1,12 @@
---
-title: Delete an AppLocker rule
+title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule.
-ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 03/10/2023
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Delete an AppLocker rule
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 21b28d7b69..b01a4cb864 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -1,17 +1,12 @@
---
-title: Deploy AppLocker policies by using the enforce rules setting
+title: Deploy AppLocker policies by using the enforce rules setting
description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
-ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Deploy AppLocker policies by using the enforce rules setting
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -51,7 +40,7 @@ Rule enforcement is applied only to a collection of rules, not to individual rul
You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the
Microsoft Desktop Optimization Pack.
->**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
@@ -64,5 +53,3 @@ When a policy is deployed, it's important to monitor the actual implementation o
## Other resources
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index ae2ca63f83..bd454cbc25 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -1,17 +1,12 @@
---
-title: Deploy the AppLocker policy into production
+title: Deploy the AppLocker policy into production
description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
-ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Deploy the AppLocker policy into production
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 21bcfc2b31..75cb76fbb6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -1,17 +1,12 @@
---
-title: Determine the Group Policy structure and rule enforcement
+title: Determine the Group Policy structure and rule enforcement
description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules.
-ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Determine the Group Policy structure and rule enforcement
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -45,4 +34,4 @@ When you're determining how many Group Policy Objects (GPOs) to create when you
- GPO naming conventions
- GPO size limits
->**Note:** There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
+>**Note:** There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index 8308562822..aae68e89c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -1,17 +1,12 @@
---
-title: Find digitally signed apps on a reference device
+title: Find digitally signed apps on a reference device
description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
-ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Determine which apps are digitally signed on a reference device
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -46,5 +35,3 @@ For command parameters, syntax, and examples, see [Get-AppLockerFileInformation]
## Related topics
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-
-
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index 84e059c69f..bd8cd14419 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -1,17 +1,12 @@
---
-title: Determine your application control objectives
+title: Determine your application control objectives
description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
-ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Determine your application control objectives
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -42,7 +31,7 @@ Use the following table to develop your own objectives and determine which appli
|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.
AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the “allowlist mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
+|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the "allowlist mode" such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
Internet zone|AppLocker supports three types of rules:
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|
+|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as "Allow everything from Windows except for Regedit.exe".|
|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index a06323374d..050d675248 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -1,17 +1,12 @@
---
-title: Display a custom URL message when users try to run a blocked app
+title: Display a custom URL message when users try to run a blocked app
description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
ms.reviewer:
ms.author: vinpa
-ms.pagetype: security
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Display a custom URL message when users try to run a blocked app
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -32,7 +21,7 @@ This topic for IT professionals describes the steps for displaying a customized
With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed.
-To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To display a custom URL message when users try to run a blocked app**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 46473d9aea..641ee98a64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -1,17 +1,12 @@
---
-title: DLL rules in AppLocker
+title: DLL rules in AppLocker
description: This topic describes the file formats and available default rules for the DLL rule collection.
-ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# DLL rules in AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 23268ed540..a99df09d89 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,30 +1,19 @@
---
-title: Document Group Policy structure & AppLocker rule enforcement
+title: Document Group Policy structure & AppLocker rule enforcement
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
-ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
-ms.pagetype: security
ms.date: 09/21/2017
ms.technology: itpro-security
---
# Document the Group Policy structure and AppLocker rule enforcement
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -49,13 +38,10 @@ The following table includes the sample data that was collected when you determi
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||
-||||Internet Explorer 7|C:\Program Files\Internet Explorer
Emergency: Request through help desk|Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required| |Human Resources|Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR
30-day notice required|
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 5aa365b37a..06168d1e9a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -1,17 +1,12 @@
---
-title: Refresh an AppLocker policy
+title: Refresh an AppLocker policy
description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
-ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Refresh an AppLocker policy
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -36,7 +25,7 @@ To use Group Policy to distribute the AppLocker policy change, you need to retri
[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
-To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To manually refresh the AppLocker policy by using Group Policy**
@@ -65,6 +54,6 @@ To make the same change on another device, you can use any of the following meth
- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
- >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
-
+ >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+
- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 5df2060dbd..40579e3963 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -1,17 +1,12 @@
---
-title: Requirements for deploying AppLocker policies
+title: Requirements for deploying AppLocker policies
description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
-ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Requirements for deploying AppLocker policies
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 23c6363413..47b2d12aba 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,17 +1,12 @@
---
-title: Requirements to use AppLocker
+title: Requirements to use AppLocker
description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
-ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2017
ms.technology: itpro-security
@@ -19,12 +14,6 @@ ms.technology: itpro-security
# Requirements to use AppLocker
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
@@ -47,21 +36,21 @@ The following table shows the Windows versions on which AppLocker features are s
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019: