From bea0ba71425301f85f6e1eda5c146ae29109c016 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Wed, 14 Jun 2023 09:46:21 -0700
Subject: [PATCH 1/3] Add ARM deny rules for vulnerable HVCIScan

---
 .../microsoft-recommended-block-rules.md      | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 26b82ac4e8..3b7f22c1df 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -8,7 +8,7 @@ author: jsuther1974
 ms.reviewer: jgeurten
 ms.author: vinpa
 manager: aaroncz
-ms.date: 06/13/2023
+ms.date: 06/14/2023
 ms.topic: reference
 ---
 
@@ -118,7 +118,7 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
-  <VersionEx>10.1.0.1</VersionEx>
+  <VersionEx>10.1.0.2</VersionEx>
   <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
   <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
   <Rules>
@@ -163,6 +163,10 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
     <Deny ID="ID_DENY_HVCISCAN_AMD_2" FriendlyName="HVCIScan.exe with missing resources AMD Hash Sha256" Hash="4968BA3E491CF6471C5D1C6CBECE84294012298D8EB6D32C03E476892F34279C" />
     <Deny ID="ID_DENY_HVCISCAN_AMD_3" FriendlyName="HVCIScan.exe with missing resources AMD Hash Page Sha1" Hash="FCFA167F5F1FC88E0886132AB0B2E0C32B4B1BF5" />
     <Deny ID="ID_DENY_HVCISCAN_AMD_4" FriendlyName="HVCIScan.exe with missing resources AMD Hash Page Sha256" Hash="283F6E8998E7A20C68FFD8715E6F130EC7648055285883686336F5711DB1C978" />
+    <Deny ID="ID_DENY_HVCISCAN_ARM_1" FriendlyName="HVCIScan.exe with missing resources ARM Hash Sha1" Hash="A72B1B9554B682F9180E5051C1DA1F2601DCD773" />
+    <Deny ID="ID_DENY_HVCISCAN_ARM_2" FriendlyName="HVCIScan.exe with missing resources ARM Hash Sha256" Hash="AC399FA29FAB56F01F63B499766D489198021C54C000463342E0382AD3AF29BE" />
+    <Deny ID="ID_DENY_HVCISCAN_ARM_3" FriendlyName="HVCIScan.exe with missing resources ARM Hash Page Sha1" Hash="9FD720F1D4913073054D93CF446C9ADC7F0BA445" />
+    <Deny ID="ID_DENY_HVCISCAN_ARM_4" FriendlyName="HVCIScan.exe with missing resources ARM Hash Page Sha256" Hash="8CBB25C135FBB43C67F70E933C482A8F6DA9F37FF4761FA061BBD91B30CEFE17" />
     <Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
@@ -1508,6 +1512,10 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
           <FileRuleRef RuleID="ID_DENY_HVCISCAN_AMD_2" />
           <FileRuleRef RuleID="ID_DENY_HVCISCAN_AMD_3" />
           <FileRuleRef RuleID="ID_DENY_HVCISCAN_AMD_4" />
+          <FileRuleRef RuleID="ID_DENY_HVCISCAN_ARM_1" />
+          <FileRuleRef RuleID="ID_DENY_HVCISCAN_ARM_2" />
+          <FileRuleRef RuleID="ID_DENY_HVCISCAN_ARM_3" />
+          <FileRuleRef RuleID="ID_DENY_HVCISCAN_ARM_4" />
         </FileRulesRef>
       </ProductSigners>
     </SigningScenario>
@@ -1515,6 +1523,18 @@ The blocklist policy that follows includes "Allow all" rules for both kernel and
   <UpdatePolicySigners />
   <CiSigners />
   <HvciOptions>0</HvciOptions>
+  <Settings>
+    <Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
+      <Value>
+        <String>Microsoft Windows Recommended User Mode BlockList</String>
+      </Value>
+    </Setting>
+    <Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
+      <Value>
+        <String>10.1.0.2</String>
+      </Value>
+    </Setting>
+  </Settings>
 </SiPolicy>
 ```
 

From 3291573c742c46887caebb690688aaadb228865f Mon Sep 17 00:00:00 2001
From: Andrew Nielsen <annielsen@microsoft.com>
Date: Wed, 14 Jun 2023 14:55:19 -0600
Subject: [PATCH 2/3] Clarified content around WDS as it relates to MDT.

---
 windows/deployment/wds-boot-support.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 6849160ab4..9219e1e311 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -38,7 +38,7 @@ The table below provides support details for specific deployment scenarios. Boot
 
 ## Reason for the change
 
-Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provides a better, more flexible, and feature-rich experience for deploying Windows images in certain scenarios. [Utilizing MDT with Windows 11 is not supported.](/mem/configmgr/mdt/known-issues.md).
 
 ## Not affected
 

From ef68d6c759dfdf293e3ef265e20fa1fdc7de8ca8 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Wed, 14 Jun 2023 17:20:17 -0400
Subject: [PATCH 3/3] Reformat support statement

Reformat support statement
---
 windows/deployment/wds-boot-support.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 9219e1e311..5c34ff5222 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -38,7 +38,11 @@ The table below provides support details for specific deployment scenarios. Boot
 
 ## Reason for the change
 
-Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provides a better, more flexible, and feature-rich experience for deploying Windows images in certain scenarios. [Utilizing MDT with Windows 11 is not supported.](/mem/configmgr/mdt/known-issues.md).
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+
+> [!NOTE]
+>
+> [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) only supports deployment of Windows 10. It doesn't support deployment of Windows 11. For more information, see [Supported platforms](/mem/configmgr/mdt/release-notes#supported-platforms).
 
 ## Not affected