These settings configure the network connections for Chromebook devices and include the following settings categories:
Windows 8.1 deployment planning
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Windows 8.1 deployment to PCs
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
BYOD
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Virtual Desktop Infrastructure
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Microsoft Store apps
Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
The root node. +The root node. -
Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -
Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -
Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -
Specifies the update GUID. +Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -
Supported operations are Get and Add. +Supported operations are Get and Add. -
Sample syncml:
+Sample syncml:
```
Specifies the time the update gets approved. +Specifies the time the update gets approved. -
Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -
Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -
The update failure error code. +The update failure error code. -
Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -
Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -
Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -
The updates that are installed on the device. +The updates that are installed on the device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -
UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -
Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -
The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -
The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -
The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -
Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -
The time the update is installed. +The time the update is installed. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -
The last successful scan time. +The last successful scan time. -
Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -
Upgrades deferred until the next period. +Upgrades deferred until the next period. -
Supported operation is Get.
+Supported operation is Get.
**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 2bb3347699..20a3da3401 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 12/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the V
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
+| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses). For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join. At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements). Other device management prerequisites include: See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch. For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
+- [Overview of Windows 11](/windows/whats-new/windows-11).
+- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
+- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
+- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
## Deployment tools
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
-New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
-VPN support is added to [Windows Autopilot](#windows-autopilot)
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
-The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.
+- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
+- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
+- VPN support is added to [Windows Autopilot](#windows-autopilot).
+- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
+The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines:
-- Windows 10
-- Office 365
+- A currently supported version of Windows.
+- Office 365.
- Enterprise Mobility and Security (EMS).
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
+See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
-## Windows 10 servicing and support
+## Windows servicing and support
### Delivery Optimization
-Windows PowerShell cmdlets for Delivery Optimization have been improved:
+Windows PowerShell cmdlets for Delivery Optimization is improved:
-- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
@@ -79,29 +75,36 @@ Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
-- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background
-- Max Upload Bandwidth (DOMaxUploadBandwidth)
+- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
+ - Reason: Replaced with separate policies for foreground and background.
+- Max Upload Bandwidth (DOMaxUploadBandwidth).
- Reason: impacts uploads to internet peers only, which isn't used in enterprises.
-- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: separated to foreground and background
+- Absolute max throttle (DOMaxDownloadBandwidth).
+ - Reason: separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
-- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+
+- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
+
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
+
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the table below.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
+
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
+
+- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+
+Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table:
@@ -111,7 +114,7 @@ Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Mi
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
## Deployment solutions and tools
@@ -119,17 +122,17 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Configuration Manager
@@ -137,25 +140,21 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
### Windows 10 Subscription Activation
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
+Windows 10 Education support is added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
### SetupDiag
-[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-In Windows 10, version 2004, SetupDiag is now automatically installed.
-
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
+During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following articles:
@@ -164,7 +163,7 @@ For more information about Upgrade Readiness, see the following articles:
### Update Compliance
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
@@ -172,31 +171,35 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Device Health
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview)
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
### MBR2GPT
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
-MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There's currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation.
+MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
+> [!IMPORTANT]
+>
+> MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
+
### Windows Assessment and Deployment Kit (ADK)
-The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
@@ -206,19 +209,19 @@ The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual
For more information, see the following guides:
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
## Troubleshooting guidance
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The article provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Related articles
-[Overview of Windows as a service](update/waas-overview.md)
-[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
-[Windows 10 release information](/windows/windows-10/release-information)
-[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
-[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+- [Overview of Windows as a service](update/waas-overview.md).
+- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
+- [Windows 10 release information](/windows/windows-10/release-information).
+- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
+- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
+- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index c886372c0f..e34d7b6de7 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -15,7 +15,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 03/07/2022 #Required; mm/dd/yyyy format.
+ ms.date: 12/22/2023 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index 1192eaf675..ec13e41993 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -15,7 +15,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 02/06/2023
+ms.date: 11/07/2023
---
# Appendix
@@ -37,10 +37,10 @@ Most customers choose to install their cache node on a Windows Server with a nes
### Installing on VMware
-We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made:
+Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made. Ensure the VM is turned off before making the following configuration changes:
1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
-1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
+1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"** is switched to **Yes**.
### Installing on Hyper-V
@@ -136,4 +136,4 @@ To verify that the Delivery Optimization client can download content using MCC,
- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge)
- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions)
- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow)
-- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)
\ No newline at end of file
+- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
index 2fa49f91cc..ba0aaef324 100644
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- - ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 05/01/2023
+ms.date: 11/07/2023
---
# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
@@ -34,8 +34,9 @@ ms.date: 05/01/2023
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
**EFLOW requires Hyper-V support**
- - On Windows client, enable the Hyper-V feature
- - On Windows Server, install the Hyper-V role and create a default network switch
+ - On Windows client, enable the Hyper-V feature.
+ - On Windows Server, install the Hyper-V role and create a default network switch.
+ - For additional requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
Disk recommendations:
- Using an SSD is recommended as cache read speed of SSD is superior to HDD
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 2c3a28d13e..856311df11 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -161,7 +161,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
+When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching
@@ -335,7 +335,7 @@ The device can download from peers while on battery regardless of this policy.
MDM Setting: **DOCacheHost**
-Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the the next one. When the last server fails, it will fallback to the CDN.
+Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the next one. When the last server fails, it will fallback to the CDN.
>[!IMPORTANT]
> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 010894a61d..3f0f9432e6 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -50,7 +50,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 11 Win32 Store apps | Windows 11 | :heavy_check_mark: | | |
| Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@@ -58,7 +59,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| MDM Agent | Windows 11 | :heavy_check_mark: | | |
| Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: |
| Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | |
| MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: | | |
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index c9f6a5f653..fa8fea1e46 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -40,9 +40,8 @@
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-development",
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index b72aa8d9ad..bd107d8546 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -1,104 +1,180 @@
-### YamlMime:Landing
+### YamlMime:Hub
-title: Windows client deployment resources and documentation # < 60 chars
-summary: Learn about deploying and keeping Windows client devices up to date. # < 160 chars
+title: Deploy and update Windows # < 60 chars; shows at top of hub page
+summary: Learn about deploying and updating Windows client devices in your organization. # < 160 chars
metadata:
- title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn about deploying Windows and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
- ms.topic: landing-page
- ms.technology: itpro-deploy
+ title: Windows client deployment documentation # Required; browser tab title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about deploying and updating Windows client devices in your organization. # Required; article description that is displayed in search results. < 160 chars.
+ ms.topic: hub-page
ms.prod: windows-client
+ ms.technology: itpro-deploy
ms.collection:
- highpri
- tier1
- author: frankroj
- ms.author: frankroj
+ author: aczechowski
+ ms.author: aaroncz
manager: aaroncz
- ms.date: 10/31/2022
+ ms.date: 12/20/2023
localization_priority: medium
-
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Plan
- linkLists:
- - linkListType: overview
- links:
- - text: Create a deployment plan
- url: update/create-deployment-plan.md
- - text: Define readiness criteria
- url: update/plan-define-readiness.md
- - text: Evaluate infrastructure and tools
- url: update/eval-infra-tools.md
- - text: Define your servicing strategy
- url: update/plan-define-strategy.md
+# common graphics: https://review.learn.microsoft.com/content-production-service/internal/image-gallery?branch=main
- # Card (optional)
- - title: Prepare
- linkLists:
- - linkListType: how-to-guide
+productDirectory:
+ title: Get started
+ items:
+ - title: Plan
+ imageSrc: /media/common/i_overview.svg
+ links:
+ - text: Plan for Windows 11
+ url: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+ - text: Create a deployment plan
+ url: update/create-deployment-plan.md
+ - text: Define readiness criteria
+ url: update/plan-define-readiness.md
+ - text: Define your servicing strategy
+ url: update/plan-define-strategy.md
+ - text: Determine application readiness
+ url: update/plan-determine-app-readiness.md
+ - text: Plan for volume activation
+ url: volume-activation/plan-for-volume-activation-client.md
+
+ - title: Prepare
+ imageSrc: /media/common/i_tasks.svg
+ links:
+ - text: Prepare for Windows 11
+ url: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+ - text: Prepare to deploy Windows updates
+ url: update/prepare-deploy-windows.md
+ - text: Prepare updates using Windows Update for Business
+ url: update/waas-manage-updates-wufb.md
+ - text: Evaluate and update infrastructure
+ url: update/update-policies.md
+ - text: Set up Delivery Optimization for Windows client updates
+ url: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+ - text: Prepare for imaging with Configuration Manager
+ url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+
+ - title: Deploy
+ imageSrc: /media/common/i_deploy.svg
+ links:
+ - text: Deploy Windows with Autopilot
+ url: /mem/autopilot/tutorial/autopilot-scenarios
+ - text: Assign devices to servicing channels
+ url: update/waas-servicing-channels-windows-10-updates.md
+ - text: Deploy updates with Intune
+ url: update/deploy-updates-intune.md
+ - text: Deploy Windows updates with Configuration Manager
+ url: update/deploy-updates-configmgr.md
+ - text: Upgrade Windows using Configuration Manager
+ url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+ - text: Check release health
+ url: update/check-release-health.md
+
+additionalContent:
+ sections:
+ - title: Solutions
+ items:
+
+ - title: Windows Autopilot
links:
- - text: Prepare to deploy Windows updates
- url: update/prepare-deploy-windows.md
- - text: Prepare updates using Windows Update for Business
+ - text: Overview
+ url: /mem/autopilot/windows-autopilot
+ - text: Scenarios
+ url: /mem/autopilot/tutorial/autopilot-scenarios
+ - text: Device registration
+ url: /mem/autopilot/registration-overview
+ - text: Learn more about Windows Autopilot >
+ url: /mem/autopilot
+
+ - title: Windows Autopatch
+ links:
+ - text: What is Windows Autopatch?
+ url: windows-autopatch/overview/windows-autopatch-overview.md
+ - text: Frequently asked questions (FAQ)
+ url: windows-autopatch/overview/windows-autopatch-faq.yml
+ - text: Prerequisites
+ url: windows-autopatch/prepare/windows-autopatch-prerequisites.md
+ - text: Learn more about Windows Autopatch >
+ url: windows-autopatch/index.yml
+
+ - title: Windows Update for Business
+ links:
+ - text: What is Windows Update for Business?
url: update/waas-manage-updates-wufb.md
- - text: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
- url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
- - text: Set up Delivery Optimization for Windows client updates
+ - text: Windows Update for Business deployment service
+ url: update/deployment-service-overview.md
+ - text: Manage Windows Update settings
+ url: update/waas-wu-settings.md
+ - text: Windows Update for Business reports overview
+ url: update/wufb-reports-overview.md
+
+ - title: Optimize and cache content
+ links:
+ - text: What is Delivery Optimization?
+ url: do/waas-delivery-optimization.md
+ - text: What is Microsoft Connected Cache?
+ url: do/waas-microsoft-connected-cache.md
+ - text: Frequently asked questions
+ url: do/waas-delivery-optimization-faq.yml
+ - text: Learn more about Delivery Optimization >
url: do/index.yml
- # Card (optional)
- - title: Deploy
- linkLists:
- - linkListType: deploy
+ - title: In-place upgrade and imaging
links:
- - text: Deploy Windows 10 with Autopilot
- url: /mem/autopilot
- - text: Assign devices to servicing channels
- url: update/waas-servicing-channels-windows-10-updates.md
-
- # Card
- - title: Overview
- linkLists:
- - linkListType: overview
- links:
- - text: What's new in Windows deployment
- url: deploy-whats-new.md
- - text: Windows 11 overview
- url: /windows/whats-new/windows-11
- - text: Windows client deployment scenarios
- url: windows-10-deployment-scenarios.md
- - text: Basics of Windows updates, channels, and tools
- url: update/get-started-updates-channels-tools.md
- - text: Overview of Windows Autopilot
- url: /mem/autopilot/windows-autopilot
+ - text: Upgrade Windows using Configuration Manager
+ url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+ - text: Deploy a Windows image using Configuration Manager
+ url: deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+ - text: Convert a disk from MBR to GPT
+ url: mbr-to-gpt.md
+ - text: Resolve Windows upgrade errors
+ url: upgrade/resolve-windows-10-upgrade-errors.md
- # Card
- - title: Support remote work
- linkLists:
- - linkListType: concept
+ - title: Licensing and activation
links:
- - text: Deploy Windows 10 for a remote world
- url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/deploying-a-new-version-of-windows-10-in-a-remote-world/ba-p/1419846
- - text: Empower remote workers with Microsoft 365
- url: /microsoft-365/solutions/empower-people-to-work-remotely
- - text: Top 12 tasks for security teams to support working from home
- url: /microsoft-365/security/top-security-tasks-for-remote-work
- - text: Support your remote workforce
- url: /microsoftteams/faq-support-remote-workforce
+ - text: Plan for volume activation
+ url: volume-activation/plan-for-volume-activation-client.md
+ - text: Subscription activation
+ url: windows-10-subscription-activation.md
+ - text: Volume activation management tool (VAMT)
+ url: volume-activation/introduction-vamt.md
+ - text: Activate using key management service (KMS)
+ url: volume-activation/activate-using-key-management-service-vamt.md
+ - text: Windows commercial licensing overview
+ url: /windows/whats-new/windows-licensing
- # Card (optional)
- - title: Microsoft Learn training
- linkLists:
- - linkListType: learn
+ - title: More resources
+ items:
+
+ - title: Release and lifecycle
links:
- - text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps
- url: /training/modules/windows-plan
- - text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps
- url: /training/modules/windows-prepare/
- - text: Deploy updates for Windows 10 and Microsoft 365 Apps
- url: /training/modules/windows-deploy
+ - text: Windows release health dashboard
+ url: /windows/release-health
+ - text: Windows client features lifecycle
+ url: /windows/whats-new/feature-lifecycle
+ - text: Lifecycle FAQ - Windows
+ url: /lifecycle/faq/windows
+
+ - title: Windows hardware
+ links:
+ - text: Download and install the Windows ADK
+ url: /windows-hardware/get-started/adk-install
+ - text: Deployment tools
+ url: /windows-hardware/manufacture/desktop/boot-and-install-windows
+# - text:
+# url:
+# - text:
+# url:
+
+ - title: Community
+ links:
+ - text: Windows IT pro blog
+ url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
+ - text: Windows office hours
+ url: https://aka.ms/windows/officehours
+# - text:
+# url:
+# - text:
+# url:
+
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 2ab8313425..a0eb436b76 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.prod: windows-client
author: frankroj
ms.author: frankroj
-ms.date: 11/23/2022
+ms.date: 11/16/2023
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@@ -12,19 +12,18 @@ ms.collection:
- highpri
- tier2
ms.technology: itpro-deploy
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# MBR2GPT.EXE
-*Applies to:*
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
-- Windows 10
+**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows.
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
-
-MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
-
-The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+The tool is available in both the full OS environment and Windows PE.
See the following video for a detailed description and demonstration of MBR2GPT.
@@ -33,13 +32,13 @@ See the following video for a detailed description and demonstration of MBR2GPT.
You can use MBR2GPT to:
- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
+- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
> [!IMPORTANT]
+>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
> Make sure that your device supports UEFI before attempting to convert the disk.
@@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
- The disk doesn't have any extended/logical partition
- The BCD store on the system partition contains a default OS entry pointing to an OS partition
- The volume IDs can be retrieved for each volume that has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option
-If any of these checks fails, the conversion won't proceed, and an error will be returned.
+If any of these checks fails, the conversion doesn't proceed, and an error is returned.
## Syntax
@@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be
|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|**/disk:*\
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
## Examples
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+ - A system reserved partition.
+ - A Windows partition.
+ - A recovery partition.
+ - A DVD-ROM is also present as volume 0.
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
index 388592c36c..88fd5d146e 100644
--- a/windows/deployment/update/includes/wufb-reports-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -5,10 +5,11 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
-ms.date: 08/21/2023
+ms.date: 12/15/2023
ms.localizationpriority: medium
---
-
+
+
Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:
@@ -20,5 +21,5 @@ Devices must be able to contact the following endpoints in order to authenticate
| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
| `adl.windows.com` | Required for Windows Update functionality. |
| `oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
-| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
-| `*.blob.core.windows.net` | Azure blob data storage.|
\ No newline at end of file
+| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices aren't visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
+| `ceuswatcab01.blob.core.windows.net`
`ceuswatcab02.blob.core.windows.net`
`eaus2watcab01.blob.core.windows.net`
`eaus2watcab02.blob.core.windows.net`
`weus2watcab01.blob.core.windows.net`
`weus2watcab02.blob.core.windows.net` | Azure blob data storage. |
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e2f3ab0e3c..baae39d605 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -12,7 +12,8 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 07/17/2023
+- ✅ Windows Server
+ms.date: 12/05/2023
---
# Update Windows installation media with Dynamic Update
@@ -83,24 +84,24 @@ Properly updating the installation media involves a large number of actions oper
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media |
-|-----------------------------------|-------------------|------------------|--------------------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 18 | |
-|Add language pack | 2 | 10 | 19 | |
-|Add localized optional packages | 3 | 11 | | |
-|Add font support | 4 | 12 | | |
-|Add text-to-speech | 5 | 13 | | |
-|Update Lang.ini | | 14 | | |
-|Add Features on Demand | | | 20 | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 15 | 21 | |
-|Clean up the image | 7 | 16 | 22 | |
-|Add Optional Components | | | 23 | |
-|Add .NET and .NET cumulative updates | | | 24 | |
-|Export image | 8 | 17 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|-----------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add setup.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 12 | 23 | |
+|Clean up the image | 7 | 13 | 24 | |
+|Add Optional Components | | 14 | | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
@@ -110,13 +111,13 @@ This table shows the correct sequence for applying the various tasks to the file
### Multiple Windows editions
-The main operating system file (install.wim) contains multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+The main operating system file (install.wim) might contain multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
-You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -130,7 +131,7 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
```powershell
#Requires -RunAsAdministrator
@@ -194,128 +195,231 @@ Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
-### Update WinRE
+### Update WinRE and each main OS Windows edition
-The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
+The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+
+Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+
+This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
```powershell
-# Mount the main operating system, used throughout the script
-Write-Output "$(Get-TS): Mounting main OS"
-Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
-
#
-# update Windows Recovery Environment (WinRE)
+# Update each main OS Windows image including the Windows Recovery Environment (WinRE)
#
-Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
-Write-Output "$(Get-TS): Mounting WinRE"
-Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update (Step 1 from the table)
+# Get the list of images contained within WinPE
+$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
-# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
-# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
-# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
-# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
-# combined cumulative update can be installed.
+Foreach ($IMAGE in $WINOS_IMAGES) {
-# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ # first mount the main OS image
+ Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
+ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
-# Now, attempt the combined cumulative update.
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
-# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
-# packages installed.
+ if ($IMAGE.ImageIndex -eq "1") {
-try
-{
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
-}
-Catch
-{
- $theError = $_
- Write-Output "$(Get-TS): $theError"
+ #
+ # update Windows Recovery Environment (WinRE) within this OS image
+ #
+ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+ Write-Output "$(Get-TS): Mounting WinRE"
+ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
+
+ # Add servicing stack update (Step 1 from the table)
+
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+ # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+ # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+ # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+ # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+ # combined cumulative update can be installed.
+
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update.
+ # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
+ # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
+ # packages installed.
+
+ try
+ {
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
+ }
+ Catch
+ {
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
- }
- else {
- throw
- }
-}
-
-# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
-# update. This second approach is commented out below.
-
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-#
-# Optional: Add the language to recovery environment
-#
-# Install lp.cab cab
-Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
-
-# Install language cabs for each optional package installed
-$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
-Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") `
- -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
- -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
- $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
- $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
- $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
- Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
}
}
+
+ # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ #
+ # Optional: Add the language to recovery environment
+ #
+ # Install lp.cab cab
+ Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
+
+ # Install language cabs for each optional package installed
+ $WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
+
+ if ( ($PACKAGE.PackageState -eq "Installed") `
+ -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
+ -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
+
+ $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
+ if ($INDEX -ge 0) {
+ $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+ Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ }
+ }
+ }
+ }
+
+ # Add font support for the new language
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Add TTS support for the new language
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
+
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
+ }
+ }
+
+ # Add Safe OS
+ Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Output "$(Get-TS): Performing image cleanup on WinRE"
+ DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
+
+ # Export
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre.wim"
+ Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+
}
+
+ Copy-Item -Path $WORKING_PATH"\winre2.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
+
+ #
+ # update Main OS
+ #
+
+ # Add servicing stack update (Step 18 from the table)
+
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+ # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+ # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+ # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
+ # and installed first before the combined cumulative update can be installed.
+
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
+
+ # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Optional: Add language to main OS
+ Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
+
+ # Optional: Add a Features on Demand to the image
+ Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+
+ # Add latest cumulative update
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Output "$(Get-TS): Performing image cleanup on main OS"
+ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+
+ #
+ # Note: If I wanted to enable additional Optional Components, I'd add these here.
+ # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
+ # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
+ #
+
+ Write-Output "$(Get-TS): Adding NetFX3~~~~"
+ Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ # Add .NET Cumulative Update
+ Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
+
+ # Export
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+ Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+
}
-# Add font support for the new language
-if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
- Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
-}
-
-# Add TTS support for the new language
-if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
- Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-
- Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
- }
-}
-
-# Add Safe OS
-Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
-
-# Perform image cleanup
-Write-Output "$(Get-TS): Performing image cleanup on WinRE"
-DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
-
-# Dismount
-Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
-
-# Export
-Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
-Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
@@ -459,103 +563,6 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
-### Update the main operating system
-
-For this next phase, there's no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
-
-Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
-
-You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
-
-```powershell
-#
-# update Main OS
-#
-
-# Add servicing stack update (Step 18 from the table)
-
-# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
-# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
-# cases, the servicing stack update is not published separately; the combined cumulative update should be used for this step. However, in hopefully
-# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
-# and installed first before the combined cumulative update can be installed.
-
-# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
-Write-Output "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
-
-# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
-# update. This second approach is commented out below.
-
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-# Optional: Add language to main OS
-Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
-
-# Optional: Add a Features on Demand to the image
-Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
-Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-# Note: If I wanted to enable additional Features on Demand, I'd add these here.
-
-# Add latest cumulative update
-Write-Output "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
-
-# Copy our updated recovery image from earlier into the main OS
-# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
-# into each edition to enable single instancing
-Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
-
-# Perform image cleanup
-Write-Output "$(Get-TS): Performing image cleanup on main OS"
-DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
-
-#
-# Note: If I wanted to enable additional Optional Components, I'd add these here.
-# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
-# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
-#
-
-Write-Output "$(Get-TS): Adding NetFX3~~~~"
-Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-# Add .NET Cumulative Update
-Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
-
-# Dismount
-Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
-
-# Export
-Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
-Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
-```
-
### Update remaining media files
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index fd0efc4571..7aa9bf3ff1 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -15,21 +15,22 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 12/31/2017
+ms.date: 12/08/2023
---
# Servicing stack updates
## What is a servicing stack update?
-Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
+
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. [CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
-Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't have the latest servicing stack update installed, there's a risk that your device can't be updated with the latest Microsoft security fixes.
## When are they released?
-Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
+Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions, a servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly security update. New servicing stack updates are classified as `Security` with a severity rating of `Critical`.
## What's the difference between a servicing stack update and a cumulative update?
@@ -38,14 +39,14 @@ Both Windows client and Windows Server use the cumulative update mechanism, in w
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
-Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
+Microsoft publishes all cumulative updates and servicing stack updates for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in Windows Server Update Services (WSUS).
## Is there any special guidance?
-Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
-
Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
+Most users don't need to install an isolated servicing stack update. In the rare case that you need to install an isolated servicing stack update, Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
+
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
@@ -56,6 +57,6 @@ Typically, the improvements are reliability and performance improvements that do
## Simplifying on-premises deployment of servicing stack updates
-With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both WSUS and the Microsoft Update Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382), released in February of 2021.
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 840ea3d5a7..05c5f63d80 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -9,9 +9,8 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/16/2023
---
# Configure BranchCache for Windows client updates
@@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+> [!Note]
+> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11.
## Configure servers for BranchCache
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 6af6c31910..2a1baa5255 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -16,7 +16,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 11/30/2023
---
# Configure Windows Update for Business
@@ -210,7 +210,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
-
+
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
@@ -243,8 +243,8 @@ The following options are available for the policy:
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
-| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **GPO applies to**:
**GPO location**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **MDM applies to**:
**MDM location**: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
## Enable features that are behind temporary enterprise feature control
@@ -269,7 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
@@ -285,7 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index e65bab8900..cc945db4c2 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 10/10/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -47,19 +47,19 @@ Drivers are automatically enabled because they're beneficial to device systems.
### Set when devices receive feature and quality updates
-#### I want to receive pre-release versions of the next feature update
+#### I want to receive prerelease versions of the next feature update
-1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
-1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -72,7 +72,7 @@ In this example, there are three rings for quality updates. The first ring ("pil
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -80,11 +80,11 @@ The devices in the fast ring are offered the quality update the next time they s
##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates are offered the quality update within ten days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -109,13 +109,13 @@ If you need a device to stay on a version beyond the point when deferrals on the
#### I want to manage when devices download, install, and restart after updates
-We recommended that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
@@ -132,7 +132,7 @@ If you don't want to allow any automatic updates prior to the deadline, set [Upd
#### I want to keep devices secure and compliant with update deadlines
-We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
+We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
@@ -140,7 +140,7 @@ We recommend that you use set specific deadlines for feature and quality updates
- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -172,7 +172,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -181,14 +181,14 @@ We recommend that you use the default notifications as they aim to provide the b
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto-restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
-When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
+When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
@@ -205,3 +205,11 @@ The features that are turned off by default from servicing updates will be enabl
- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
- **1** - Not allowed. Features that are shipped turned off by default will remain off
+
+#### I want to enable optional updates
+
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using [AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent). For more information about optional content, see [Enable optional updates](waas-configure-wufb.md#enable-optional-updates).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 372a36d6df..22c937a71a 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 10/10/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -202,7 +202,9 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
#### I want to enable optional updates
-(*Starting in Windows 11, version 22H2 or later*)
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 2279f4318c..b75a881dc0 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -13,7 +13,7 @@ ms.collection:
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 12/08/2023
---
# Windows Update log files
@@ -24,18 +24,20 @@ The following table describes the log files created by Windows Update.
|Log file|Location|Description|When to use |
|-|-|-|-|
-|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
-|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. |
+|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information included in the Windowsupdate.log log file to troubleshoot the issue.|
+|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator Service is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|
|
|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by NotificationUxBroker.exe. |When you want to check whether the notification was triggered or not. |
|CBS.log|%systemroot%\Logs\CBS|This log provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to Windows Update installation.|
-## Generating WindowsUpdate.log
+## Generating WindowsUpdate.log
+
To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog?preserve-view=tru&view=win10-ps).
>[!NOTE]
>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
-### Windows Update log components
+## Windows Update log components
+
The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
- AGENT- Windows Update agent
@@ -54,7 +56,7 @@ The Windows Update engine has different component names. The following are some
- PT- Synchronizes updates information to the local datastore
- REPORT- Collects reporting information
- SERVICE- Startup/shutdown of the Automatic Updates service
-- SETUP- Installs new versions of the Windows Update client when it is available
+- SETUP- Installs new versions of the Windows Update client when it's available
- SHUTDWN- Install at shutdown feature
- WUREDIR- The Windows Update redirector files
- WUWEB- The Windows Update ActiveX control
@@ -68,7 +70,7 @@ The Windows Update engine has different component names. The following are some
>[!NOTE]
>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
-### Windows Update log structure
+## Windows Update log structure
The Windows update log structure is separated into four main identities:
- Time Stamps
@@ -82,7 +84,7 @@ The Windows update log structure is separated into four main identities:
The WindowsUpdate.log structure is discussed in the following sections.
-#### Time stamps
+### Time stamps
The time stamp indicates the time at which the logging occurs.
- Messages are usually in chronological order, but there may be exceptions.
- A pause during a sync can indicate a network problem, even if the scan succeeds.
@@ -90,15 +92,15 @@ The time stamp indicates the time at which the logging occurs.
-#### Process ID and thread ID
+### Process ID and thread ID
The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
-- The first four hex digits are the process ID.
-- The next four hex digits are the thread ID.
+- The first four digits, in hex, are the process ID.
+- The next four digits, in hex, are the thread ID.
- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.
-#### Component name
+### Component name
Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows:
- ProtocolTalker - Client-server sync
@@ -111,31 +113,36 @@ Search for and identify the components that are associated with the IDs. Differe
-#### Update identifiers
+### Update identifiers
+
+The following items are update identifiers:
+
+#### Update ID and revision number
-##### Update ID and revision number
There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
-- Update ID: A GUID (indicated in the previous screenshot) that's assigned to a given update at publication time
+- Update ID: A GUID (indicated in the previous screenshot) assigned to a given update at publication time
- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
- Revision numbers are reused from one update to another (not a unique identifier).
- The update ID and revision number are often shown together as "{GUID}.revision."
-##### Revision ID
-- A Revision ID (don't confuse this value with "revision number") is a serial number that's issued when an update is initially published or revised on a given service.
-- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that is not related to the previous ID.
+#### Revision ID
+
+- A Revision ID (don't confuse this value with "revision number") is a serial number issued when an update is initially published or revised on a given service.
+- An existing update that is revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that isn't related to the previous ID.
- Revision IDs are unique on a given update source, but not across multiple sources.
- The same update revision might have different revision IDs on Windows Update and WSUS.
- The same revision ID might represent different updates on Windows Update and WSUS.
-##### Local ID
-- Local ID is a serial number issued when an update is received from a service by a given Windows Update client
+#### Local ID
+
+- Local ID is a serial number issued by a given Windows Update client when an update is received from a service.
- Typically seen in debug logs, especially involving the local cache for update info (Datastore)
-- Different client PCs will assign different Local IDs to the same update
+- Different client PCs assign different Local IDs to the same update
- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
-##### Inconsistent terminology
+#### Inconsistent terminology
- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
- Recognize IDs by form and context:
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 3f3c8c7937..7c76c5ad32 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
ms.prod: windows-client
ms.technology: itpro-updates
-ms.topic: conceptual
+ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
@@ -12,61 +12,60 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/15/2022
+ms.date: 12/15/2023
---
-# Manually configuring devices for Windows Update for Business reports
+# Manually configure devices for Windows Update for Business reports
-There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+There are many requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with later versions of Windows client. When any configuration requirements change, we'll update the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md). If that happens, you only need to redeploy the script.
The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Windows Update for Business reports are correctly configured.
2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Windows Update for Business reports. For example, devices in both main and satellite offices, which might have different network configurations, must be able to reach the endpoints.
-3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It's recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
-
+3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. For proper functionality, leave Windows services set to their out-of-box default configurations.
## Required policies
-Windows Update for Business reports has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Windows Update for Business reports. Thee policies are listed below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+The Windows Update for Business reports service has several policies that you need to configure appropriately. These policies allow Microsoft to process your devices and show them in Windows Update for Business reports. The policies are listed in the following subsections, separated by [mobile device management](/windows/client-management/mdm/) (MDM) or group policy.
-- **Policy** corresponds to the location and name of the policy.
-- **Value** Indicates what value the policy must be set to. Windows Update for Business reports requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
-- **Function** details why the policy is required and what function it serves for Windows Update for Business reports. It will also detail a minimum version the policy is required, if any.
+The following definitions apply for both tables:
-### Mobile Device Management policies
+- **Policy**: The location and name of the policy.
+- **Value**: Set the policy to this value. Windows Update for Business reports requires at least *Required* (previously *Basic*) diagnostic data, but can function with *Enhanced* or *Optional* (previously *Full*).
+- **Function**: Details for why the policy is required and what function it serves for Windows Update for Business reports. It also details a minimum version the policy requires, if any.
-Each MDM Policy links to its documentation in the configuration service provider (CSP) hierarchy, providing its exact location in the hierarchy and more details.
+### MDM policies
-| Policy | Data type | Value | Function | Required or recommended|
+Each MDM policy links to more detailed documentation in the configuration service provider (CSP) hierarchy.
+
+| Policy | Data type | Value | Function | Required or recommended |
|---|---|---|---|---|
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | Required |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | Recommended |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. | Recommended |
-| **System/**[**ConfigureTelemetryOptInChangeNotification**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinchangenotification) | Integer | 1 - Disabled | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
+| **System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#allowtelemetry) | Integer | `1`: Basic (Required) | Configures the device to send the minimum required diagnostic data. | Required |
+| **System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux) | Integer | `1`: Disable diagnostic data opt-in settings | Determines whether users of the device can adjust diagnostic data to levels lower than you define by the *AllowTelemetry* policy. Set the recommended value to disable opt-in settings, or users can change the effective diagnostic data level that might not be sufficient. | Recommended |
+| **System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#allowdevicenameindiagnosticdata) | Integer | `1`: Allowed | Allows the device to send its name with Windows diagnostic data. If you don't configure this policy or set it to `0`: Disabled, then the data doesn't include the device name. If the data doesn't include the device name, you can't see the device in Windows Update for Business reports. In this instance, the reports show `#` instead. | Recommended |
+| **System/**[**ConfigureTelemetryOptInChangeNotification**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinchangenotification) | Integer | `1`: Disabled | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
### Group policies
-All Group policies that need to be configured for Windows Update for Business reports are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
+All group policies that you need to configure for Windows Update for Business reports are under the following path: **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value*.
| Policy | Value | Function | Required or recommended|
|---|---|---|---|
-|**Allow Diagnostic Data** | Send required diagnostic data (minimum) | Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure diagnostic data opt-in setting user interface**. | Required |
-|**Configure diagnostic data opt-in setting user interface** | Disable diagnostic data opt in settings | Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | Recommended |
-|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. | Recommended |
-|**Configure diagnostic data opt-in change notifications** | Disable diagnostic data change notifications | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
+| **Allow Diagnostic Data** | Send required diagnostic data | Configures the device to send the minimum required diagnostic data. | Required |
+| **Configure diagnostic data opt-in setting user interface** | Disable diagnostic data opt-in settings | Determines whether users of the device can adjust diagnostic data to levels lower than you define by the *Allow Diagnostic Data* policy. Set the recommended value to disable opt-in settings, or users can change the effective diagnostic data level that might not be sufficient. | Recommended |
+| **Allow device name to be sent in Windows diagnostic data** | Enabled | Allows the device to send its name with Windows diagnostic data. If you don't configure this policy or set it to *Disabled*, then the data doesn't include the device name. If the data doesn't include the device name, you can't see the device in Windows Update for Business reports. In this instance, the reports show `#` instead. | Recommended |
+| **Configure diagnostic data opt-in change notifications** | Disable diagnostic data change notifications | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
## Required endpoints
-To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
-
[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]
## Required services
-Many Windows and Microsoft services are required to ensure that not only the device can function, but Windows Update for Business reports can see device data. It's recommended that you allow all default services from the out-of-box experience to remain running. The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
+Many Windows services are required for Windows Update for Business reports to see device data. Allow all default services from the out-of-box experience to remain running. Use the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) to check whether required services are running or are allowed to run automatically.
## Next steps
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index 3b3527ba45..c81cd3c96b 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 08/30/2023
+ms.date: 12/15/2023
---
# Windows Update for Business reports prerequisites
@@ -22,12 +22,12 @@ Before you begin the process of adding Windows Update for Business reports to yo
## Azure and Microsoft Entra ID
-- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/)
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/).
- Devices must be Microsoft Entra joined and meet the below OS, diagnostic, and endpoint access requirements.
- Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-- Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
-- The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
-- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
+- Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (workplace joined) aren't supported with Windows Update for Business reports.
+- The Log Analytics workspace must be in a [supported region](#log-analytics-regions).
+- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md).
## Permissions
@@ -38,7 +38,7 @@ Before you begin the process of adding Windows Update for Business reports to yo
- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
-Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+Windows Update for Business reports only provides data for the standard desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
## Windows client servicing channels
@@ -49,27 +49,25 @@ Windows Update for Business reports supports Windows client devices on the follo
### Windows operating system updates
-- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended
+For [changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended.
## Diagnostic data requirements
-At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
+At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what data each diagnostic level includes, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
The following levels are recommended, but not required:
-- The *Enhanced* level for Windows 10 devices
-- The *Optional* level for Windows 11 devices (previously *Full*)
-Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:
+- The *Enhanced* level for Windows 10 devices.
+- The *Optional* level for Windows 11 devices (previously *Full*).
-
- - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata)
- - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds**
+Device names don't appear in Windows Update for Business reports unless you individually opt in devices by using a policy. The configuration script does this action for you, but when using other client configuration methods, set one of the following policies to display device names:
+- CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata)
+- Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds**
> [!TIP]
> Windows Update for Business reports uses [services configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-svccfg), also called OneSettings. Disabling the services configuration can cause some of the client data to be incorrect or missing in reports. For more information, see the [DisableOneSettingsDownloads](/windows/client-management/mdm/policy-csp-system#disableonesettingsdownloads) policy settings.
-
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
## Endpoints
diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
new file mode 100644
index 0000000000..af84c4b582
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
@@ -0,0 +1,280 @@
+---
+title: Enumerated types
+titleSuffix: Windows Update for Business reports
+description: Enumerated types for Windows Update for Business reports.
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 12/06/2023
+---
+
+# Enumerated types for Windows Update for Business reports
+
+The following enumerated types are used in Windows Update for Business reports:
+
+## OSEdition
+
+SKU of Windows the device is running.
+
+|Value | Description |
+|---|---|
+| **Enterprise** | Windows Enterprise |
+| **Professional** | Windows Professional |
+| **ProfessionalWorkstation** | Windows Professional workstation |
+| **ProfessionalN** | Similar to Windows Professional edition but doesn't include Windows media player. |
+| **Education** | Windows Education |
+
+## OSArchitecture
+
+Architecture of the OS running on the client.
+
+|Value | Description |
+|---|---|
+| **amd64** | OS is 64-bit |
+| **x86** | OS is 32-bit |
+| **Unknown** | The OS architecture is unknown |
+
+## OSFeatureUpdateStatus
+
+Feature updates status
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default, sent if client data unavailable. |
+| **InService** | Client is on a version of Windows 10 that is serviced. |
+| **EndOfService** | Client is on a version of Windows 10 that is no longer serviced. |
+
+## OSQualityUpdateStatus
+
+Quality updates status
+
+|Value | Description |
+|---|---|
+| **Latest** | Client is on the latest quality update |
+| **NotLatest** | Client isn't on the latest quality update |
+
+## OSSecurityUpdateStatus
+
+Security updates status
+
+|Value | Description |
+|---|---|
+| **Latest** | Client is on the latest security update |
+| **NotLatest** | Client isn't on the latest security update |
+| **MultipleSecurityUpdatesMissing** | Client is missing multiple security updates |
+
+## OSFeatureUpdateComplianceStatus, OSSecurityUpdateComplianceStatus, OSQualityUpdateComplianceStatus
+
+Compliance status
+
+|Value | Description |
+|---|---|
+| **Compliant** | The latest deployment from the Windows Update for Business deployment service is installed on the client |
+| **NotCompliant** | The latest deployment from the Windows Update for Business deployment service isn't installed on the client|
+| **NotApplicable** | Client isn't part of any Windows Update for Business deployment service deployments |
+
+## OSServicingChannel
+
+Servicing channel of client
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default, release branch can't be defined. |
+| **SAC** | Semi-annual release channel |
+| **LTSC** | Long-term servicing channel |
+| **WIP-S** | Windows Insider Preview - Slow ring |
+| **WIP-F**| Windows Insider Preview - Fast ring |
+| **Internal** | An identifiable, but internal release ring |
+
+## ServiceState
+
+High-level service state OSServicingChannel
+
+|Value | Description |
+|---|---|
+| **Pending** | Windows Update for Business deployment service isn't targeting this update to this device because the update isn't ready. |
+| **Offering** | Service is offering the update to the device. The update is available for the device to get if it scans Windows Update. |
+| **OnHold** | Service is holding off on offering update to the device indefinitely. Until either the service or admin changes some condition, devices remain in this state. |
+| **Canceled** | Service canceled offering update to the device, and the device is confirmed to not be installing the update. |
+
+## ServiceSubstate
+
+Lower-level service state
+
+| Value | ServiceState |
+|---|---|
+| **Validation** | Update can't be offered to the device because a validation issue with the device and deployment service. |
+| **Scheduled** | Update isn't ready to be offered to the device, but is scheduled for offering at a later date. |
+| **OfferReady** | Update is currently being offered to the device from Windows Update. |
+| **RemovedFromDeployment** | Update offering was canceled because it was removed from the deployment because of an explicit administrator action. |
+| **AdminCancelled** | Update offering was canceled because of an explicit administrator action. |
+| **ServiceCancelled** | Update offering was canceled because of an automatic action by the deployment service. |
+| **AdminPaused** | Update is on hold because the deployment was paused with an explicit administrator action. |
+| **ServicePaused** | Update is on hold because of an automatic action by the deployment service. |
+| **SafeguardHold** | Update isn't offered because an existing safeguard hold on the device. |
+
+## ClientState
+
+High-level client state
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default value, if ClientSubstate is unknown (in other words, no client data) |
+| **Offering** | Update is being offered to device |
+| **Installing** | Update is in progress on device |
+| **Uninstalling** | Update is being uninstalled from device |
+| **Installed** | Update has been installed to device |
+| **Uninstalled** | Update has been uninstalled from device |
+| **Canceled** | Update has been canceled from device |
+| **OnHold** | Update has been on Hold |
+
+## ClientSubstate
+
+Lower-level client state
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default value, if ClientSubstate is unknown (in other words, no client data) |
+| **Offering** | Update is being offered to device |
+| **Installing** | Update is in progress on device |
+| **Uninstalling** | Update is being uninstalled from device |
+| **Installed** | Update has been installed to device |
+| **Uninstalled** | Update has been uninstalled from device |
+| **Canceled** | Update has been canceled from device |
+| **OnHold** | Update has been on Hold |
+
+## UpdateCategory
+
+Type of update.
+
+|Value | Description |
+|---|---|
+| **WindowsQualityUpdate** | Windows feature update |
+| **WindowsFeatureUpdate** | Windows quality update |
+| **DriverUpdate** | Driver update |
+
+## UpdateClassification
+
+Whether this update is an upgrade, security, nonsecurity, or driver
+
+|Value | Description |
+|---|---|
+| **Security** | Update is a quality update containing security fixes |
+| **NonSecurity** | Update is a quality update not containing security fixes |
+| **Upgrade** | Update is a feature update |
+
+## UpdateSource
+
+Source of the update
+
+|Value | Description |
+|---|---|
+| **Inferred** | |
+| **MuV6** | Update through old Windows Update, or via WSUS (uses old protocol) |
+| **UUP** | Update through modern Windows Update |
+
+## ReadinessStatus
+
+Whether the device is capable of taking target OS and version.
+
+|Value | Description |
+|---|---|
+| **Capable** | The device meets all requirements to upgrade to Windows 11. |
+| **Not Capable** | The device doesn't meet the requirements to upgrade to Windows 11. Check Readiness Reason for the reason. |
+| **Unknown** | Microsoft doesn't have enough data points to determine the eligibility status. |
+
+## ReadinessReason
+
+Reason why the device isn't capable of updating to target OS and version.
+
+|Value | Description |
+|---|---|
+| **tpm** | [Trusted Platform Module](/windows/security/hardware-security/tpm/trusted-platform-module-overview) (TPM) version 2.0 is required. If your device doesn't meet the minimum requirements because of TPM, see [Enable TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c) to see if there are any remediation steps you can take. |
+| **cpufms** | CPU not supported. For more information, see [Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) |
+| **sysdrivesize** | 64 GB or larger storage device required. If your PC doesn't have a large enough storage drive, sometimes there are options for upgrading the drive. Consult your PC manufacturer's website or with a retailer to see if there are options to meet the minimum requirements for Windows 11. |
+| **UefiSecureBoot** | UEFI (Unified Extensible Firmware Interface) and Secure Boot capability. If your device doesn't meet the minimum requirements because it's not Secure Boot capable. For more information, see [Windows 11 and Secure Boot](https://support.microsoft.com/topic/a8ff1202-c0d9-42f5-940f-843abef64fad) to see if you're able to enable Secure Boot. Secure Boot can only be enabled with UEFI. |
+
+
+## AlertType
+
+Type of alert.
+
+|Value | Description |
+|---|---|
+| **ServiceUpdateAlert** | Alert is relevant to Windows Update for Business deployment service's offering of the content to the client. |
+| **ClientUpdateAlert** | Alert is relevant to client's ability to progress through the installation of the update content. |
+| **ServiceDeviceAlert** | Alert is relevant to device's status within Windows Update for Business deployment service |
+| **ClientDeviceAlert** | Alert is relevant to device's state |
+| **DeploymentAlert** | Alert is relevant to an entire deployment, or a significant number of devices in the deployment. |
+
+## AlertSubtype
+
+Subtype of alert.
+
+| Value | Description |
+|---|---|
+| **CancelledByUser** | The user canceled the update. |
+| **CertificateIssue** | An expired certificate was encountered. |
+| **DamagedMedia** | The update file appears to be damaged. |
+| **DeviceRegistrationInvalidAzureADJoin** | Device isn't able to register or authenticate properly with the deployment service due to not being device-level Entra ID joined. Devices that are workplace-joined aren't compatible with the deployment service. |
+| **DiskFull** | An operation couldn't be completed because the disk is full. |
+| **DiskIssue** | Windows Update has found disk corruption. |
+| **DownloadCancelled** | The download was canceled. |
+| **DownloadCredentialsIssue** | A proxy server or firewall on your network might require credentials. |
+| **DownloadIssue** | There was a download issue. |
+| **DownloadIssueServiceDisabled** | The service the download depends on is disabled. |
+| **DownloadTimeout** | A timeout occurred. |
+| **EndOfService** | Client OS is no longer being serviced |
+| **EndOfServiceApproaching** | Client OS servicing period completes in less than 60 days |
+| **FileNotFound** | The installer couldn't find a Windows component that it needs. |
+| **InstallAccessDenied** | Access denied. |
+| **InstallCancelled** | Install canceled. |
+| **InstallFileLocked** | Couldn't access the file because it's already in use. |
+| **InstallIssue** | There was an installation issue. |
+| **InstallSetupBlock** | There's an application or driver blocking the upgrade. |
+| **InstallSetupError** | Encountered an error while installing the new version of Windows. |
+| **InstallSetupRestartRequired** | A restart is required. |
+| **InstallSharingViolation** | An application is likely interfering with Windows Update. |
+| **InstallSystemError** | A system error occurred while installing the new version of Windows. |
+| **InsufficientUpdateConnectivity** | Device hasn't had sufficient connectivity to Windows Update to progress through the update process and will experience delays. |
+| **MultipleSecurityUpdatesMissing** | Client is missing multiple security updates |
+| **NetworkIssue** | The server timed out waiting for the requested. |
+| **PathNotFound** | The specified path can't be found. |
+| **RestartIssue** | The restart to apply updates is being blocked by one or more applications. |
+| **SafeguardHold** | Update can't be installed due to a known Safeguard Hold. |
+| **UnexpectedShutdown** | The installation stopped because Windows was shutting down or restarting. |
+| **WindowsComponentCorruption** | This device has a corrupted Windows component |
+| **WUBusy** | Windows Update tried to install an update while another installation process was already running. |
+| **WUComponentMissing** | Windows Update might be missing a component or the update file might be damaged. |
+| **WUDamaged** | The update file might be damaged. |
+| **WUFileCorruption** | Windows Update encountered corrupted files. |
+| **WUIssue** | An unexpected issue was encountered during the installation. |
+| **WUSetupError** | The setup process was suspended. |
+
+
+## AlertStatus
+
+Status of alert
+
+|Value | Description |
+|---|---|
+| **Active** | Alert is active, still requires attention. |
+| **Resolved** | Alert is resolved and no longer requires attention. |
+| **Deleted** | Alert was deleted from the backend system. |
+
+### AlertClassification
+
+Whether this alert is an error, a warning, or informational.
+
+| **Value** | Description |
+|---|---|
+| **Informational** | Alert is informational in nature. |
+| **Warning** | Alert is a warning |
+| **Error** | Alert is an error, or is related to an error. There should be an error code that maps to either something from the client or from the service. |
+| **Recommendation** | Alert is a recommendation, something to optimize. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index 9966c6a6ad..b5383c4ad8 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 08/09/2023
+ms.date: 12/06/2023
---
# UCClient
@@ -19,41 +19,63 @@ ms.date: 08/09/2023
UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
## Schema for UCClient
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
-| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
-| **DeviceFamily** | [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier |
-| **LastCensusScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
-| **LastWUScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
-| **OSArchitecture** | [string](/azure/kusto/query/scalar-data-types/string) | `x86` | The architecture of the operating system (not the device) this device is currently on. |
-| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
-| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `22621` | The major build number, in int format, the device is using. |
-| **OSEdition** | [string](/azure/kusto/query/scalar-data-types/string) | `Professional` | The Windows edition |
-| **OSFeatureUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Compliant` | Whether or not the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSFeatureUpdateEOSTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. |
-| **OSFeatureUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. |
-| **OSFeatureUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `InService;EndOfService` | Whether or not the device is on the latest available feature update, for its feature update. |
-| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSQualityUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. |
-| **OSQualityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest` | Whether or not the device is on the latest available quality update, for its feature update. |
-| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | The revision, in int format, this device is on. |
-| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSSecurityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether or not the device is on the latest available security update, for its feature update. |
-| **OSServicingChannel** | [string](/azure/kusto/query/scalar-data-types/string) | `SAC` | The elected Windows 10 servicing channel of the device. |
-| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceEvent` | The EntityType. |
-| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows update feature update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. |
-| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: DeferFeatureUpdates. The Windows update feature update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the policy setting. |
-| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. |
-| **WUFeaturePauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for feature updates, possible values are Paused, NotPaused, NotConfigured. |
-| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. |
-| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values greater than `0` indicate the policy setting. |
-| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | The Windows Update grace period for quality update in days. `-1` indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. |
-| **WUQualityPauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for quality updates, possible values are Paused, NotPaused, NotConfigured. |
+
+| Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceID** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **City** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Device city, based on IP address. |
+| **Country** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
+| **DeviceFamily** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `PC, Phone` | The device family such as PC, Phone. |
+| **DeviceFormFactor** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Notebook, Desktop, Phone.` | Currently, data isn't gathered to populate this field. The device form factor |
+| **DeviceManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Hewlett-Packard.` | Currently, data isn't gathered to populate this field. The device OEM manufacturer |
+| **DeviceModel** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `The device's OEM model ` | Currently, data isn't gathered to populate this field. The device OEM model |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Client-provided device name |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | The global device identifier |
+| **IsVirtual** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `Yes, No` | Whether device is a virtual device. |
+| **LastCensusScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
+| **LastWUScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
+| **NewTest_CF [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. |
+| **OSArchitecture** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `x86` | The architecture of the operating system (not the device) this device is currently on. |
+| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
+| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `22621` | The major build number, in int format, the device is using. |
+| **OSEdition** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Professional` | The Windows edition |
+| **OSFeatureUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Compliant` | Whether the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSFeatureUpdateEOSTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. |
+| **OSFeatureUpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. |
+| **OSFeatureUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `InService;EndOfService` | Whether the device is on the latest available feature update, for its feature update. |
+| **OSQualityUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `NotCompliant` | Whether the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSQualityUpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. |
+| **OSQualityUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Latest;NotLatest` | Whether the device is on the latest available quality update, for its feature update. |
+| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `836` | The revision, in int format, this device is on. |
+| **OSSecurityUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `NotCompliant` | Whether the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSSecurityUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether the device is on the latest available security update, for its feature update. |
+| **OSServicingChannel** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `SAC` | The elected Windows 10 servicing channel of the device. |
+| **OSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. |
+| **PrimaryDiskFreeCapacityMb** | | No | | Currently, data isn't gathered to populate this field. Free disk capacity of the primary disk in Megabytes. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClient` | The entity type |
+| **UpdateConnectivityLevel** | | Yes | | Currently, data isn't gathered to populate this field. Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. |
+| **WUAutomaticUpdates** | | No | | Currently, data isn't gathered to populate this field. Manage automatic update behavior to scan, download, and install updates. |
+| **WUDeadlineNoAutoRestart** | | No | | Currently, data isn't gathered to populate this field. Devices won't automatically restart outside of active hours until the deadline is reached - It's 1 by default and indicates enabled, 0 indicates disabled |
+| **WUDODownloadMode** | | No | | Currently, data isn't gathered to populate this field. The Windows Update DO DownloadMode configuration. |
+| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows Update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
+| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The Windows Update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the policy setting. |
+| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
+| **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause will end, if activated, else null. |
+| **WUFeaturePauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause was activated, if activated, else null. Feature updates are paused for 35 days from the specified start date. |
+| **WUFeaturePauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for feature updates. Possible values are Paused, NotPaused, NotConfigured. |
+| **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings |
+| **WUPauseUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user can't access the Pause updates' feature. Supported values 0, 1. |
+| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
+| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. |
+| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
+| **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- will end, if activated, else null. |
+| **WUQualityPauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- was activated; if activated; else null. |
+| **WUQualityPauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for quality updates. Possible values are Paused, NotPaused, NotConfigured. |
+| **WURestartNotification** | | No | | Currently, data isn't gathered to populate this field. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. The following list shows the supported values: 1 (default) = Auto Dismissal. 2 - User Dismissal. |
+| **WUServiceURLConfigured**| | No | | Currently, data isn't gathered to populate this field. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. |
+| **WUUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. Default is 0. Supported values 0, 1. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index a497b36832..59208c8193 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCClientReadinessStatus
@@ -20,26 +20,29 @@ ms.date: 06/06/2022
UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
## Schema for UCClientReadinessStatus
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
-| **OSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10` | The operating system name. |
-| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Win10 OS Version (such as 19H2, 20H1, 20H2) currently installed on the device. |
-| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision |
-| **TargetOSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 11` | The name of the operating system being targeted to the device for this readiness record.|
-| **TargetOSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `21H2` | The operating system version being targeted to the device for this readiness record.|
-| **TargetOSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record.|
-| **ReadinessStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update.|
-| **ReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. |
-| **ReadinessScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed and the assessment was sent.|
-| **ReadinessExpiryTime**| [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the readiness assessment will expire.|
-| **SetupReadinessStatus**| [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup.|
-| **SetupReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. |
-| **SetupReadinessTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed by setup and the assessment was sent.|
-| **SetupReadinessExpiryTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the setup readiness assessment will expire.|
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 10:26:03.478039` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace.|
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Client-provided device name |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | The global device identifier. |
+| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision |
+| **OSName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10` | The operating system name. |
+| **OSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Win10 OS version (such as 19H2, 20H1, 20H2) currently installed on the device. |
+| **ReadinessExpiryTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when the readiness assessment will expire. |
+| **ReadinessReason** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `CPU;TPM` | Lists which hardware requirements are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. |
+| **ReadinessScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when readiness was assessed and the assessment was sent. |
+| **ReadinessStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
+| **SetupReadinessExpiryTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when the setup readiness assessment will expire. |
+| **SetupReadinessReason** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `CPU;TPM` | Lists which hardware requirements are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. |
+| **SetupReadinessStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup. |
+| **SetupReadinessTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when readiness was assessed by setup and the assessment was sent. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetOSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record. |
+| **TargetOSName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 11` | The name of the operating system being targeted to the device for this readiness record. |
+| **TargetOSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `21H2` | The operating system version being targeted to the device for this readiness record. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClientReadinessStatus` | The entity type |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 760d757558..058a649dd6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/05/2023
+ms.date: 12/06/2023
---
# UCClientUpdateStatus
@@ -20,39 +20,47 @@ ms.date: 06/05/2023
Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
## Schema for UCClientUpdateStatus
-
-| Field | Type | Example | Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Microsoft Entra tenant to which the device belongs. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Microsoft Entra device ID |
-|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
-| **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
-| **ClientSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last client substate transition |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Device's given name |
-| **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate |
-| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
-| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. |
-| **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. |
-| **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
-| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
-| **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. |
-| **TargetKBNumber** | [string](/azure/kusto/query/scalar-data-types/string) | `KB4524570` | KB Article. |
-| **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. |
-| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
-| **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. |
-| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
-| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
-| **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |
-
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **ClientState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Installing` | This field applies to drivers only. Higher-level bucket of ClientSubstate. |
+| **ClientSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
+| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
+| **ClientSubstateTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time of last client substate transition |
+| **DeploymentId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Device's given name |
+| **EventData** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Json to fill with arbitrary K/V pairs. Used to populate contextual data that would otherwise be sparsely populated if elevated to a field always present in the schema. |
+| **FurthestClientSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `DownloadComplete` | Furthest clientSubstate |
+| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `2400` | Ranking of furthest clientSubstate |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | Microsoft internal global device identifier |
+| **IsUpdateHealthy** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1` | Currently, data isn't gathered to populate this field. True: No issues preventing this device from updating to this update have been found. False: There's something that may prevent this device from updating. |
+| **OfferReceivedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time when device last reported entering OfferReceived, else empty. |
+| **RestartRequiredTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
+| **TargetBuildNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `18363` | Integer of the Major portion of Build. |
+| **TargetKBNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `KB4524570` | KB Article. |
+| **TargetRevisionNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `836` | Integer or the minor (or revision) portion of the build. |
+| **TargetVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The target operating system version, such as 1909. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClientUpdateStatus` | The entity type |
+| **UpdateCategory** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateConnectivityLevel** | | Yes | | Currently, data isn't gathered to populate this field. Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. |
+| **UpdateDisplayName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
+| **UpdateHealthGroupL1** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Grouping design to describe the current update installation's "health", L1 (highest-level). |
+| **UpdateHealthGroupL2** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L1 UpdateHealthGroup. |
+| **UpdateHealthGroupL3** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Second grouping, subset of L1, more detailed. |
+| **UpdateHealthGroupRankL1** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L2 UpdateHealthGroup. |
+| **UpdateHealthGroupRankL2** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Third grouping, subset of L3, more detailed. |
+| **UpdateHealthGroupRankL3** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L3 UpdateHealthGroup. |
+| **UpdateId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. Update ID of the targeted update |
+| **UpdateInstalledTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | DateTime when event transitioned to UpdateInstalled, else empty. |
+| **UpdateManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
+| **UpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The release date of the update |
+| **UpdateSource** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `UUP` | The source of the update such as UUP, MUv6, Media |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index a449781e51..e5dfa88144 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCDeviceAlert
@@ -19,32 +19,29 @@ ms.date: 06/06/2022
These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
## Schema for UCDeviceAlert
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
-| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
-| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
-| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
-| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert. |
-| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present. |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
-| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft global identifier, if available. |
-| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. |
-| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else Empty. |
-| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `100` | Rank of ServiceSubstate |
-| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
-| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AlertClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Error` | Whether this alert is an Error, a Warning, or Informational |
+| **AlertData** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. An optional string formatted as a json payload containing metadata for the alert. |
+| **AlertId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
+| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `1000` | Integer ranking of alert for prioritization during troubleshooting |
+| **AlertStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Active` | Whether this alert is Active, Resolved, or Deleted |
+| **AlertSubtype** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DiskFull` | The subtype of alert. |
+| **AlertType** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields are present. |
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **Description** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | The given device's name |
+| **ErrorCode** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
+| **ErrorSymName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. The symbolic name that maps to the Error Code, if any. Otherwise empty. |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:1298371934870` | Internal Microsoft global identifier, if available. |
+| **Recommendation** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. |
+| **ResolvedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **StartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCDeviceAlert` | The entity type |
+| **URL** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `aka.ms/errordetail32152` | Currently, data isn't gathered to populate this field. An optional URL to get more in-depth information related to this alert. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index d6b10a0364..33540428e2 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -12,7 +12,7 @@ ms.reviewer: carmenf
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/17/2022
+ms.date: 12/06/2023
---
# UCDOAggregatedStatus
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index c9f8f9a935..98e6832a40 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -11,7 +11,7 @@ ms.reviewer: carmenf
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/17/2022
+ms.date: 12/06/2023
---
# UCDOStatus
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 004f2def5e..c78b2c076d 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCServiceUpdateStatus
@@ -19,38 +19,41 @@ ms.date: 06/06/2022
Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
## Schema for UCServiceUpdateStatus
-
-| Field | Type | Example | Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Microsoft Entra tenant to which the device belongs. |
-|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
-| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment |
-| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited |
-| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
-| **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
-| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created |
-| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device |
-| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy |
-| **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. |
-| **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
-| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
-| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
-| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Microsoft Entra tenant ID |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
-| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
-|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware |
-| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device |
-| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
-|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware |
-| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware |
+
+| Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **DeploymentApprovedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time of the update approval |
+| **DeploymentId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID maps to that policy, otherwise it's empty. |
+| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `1` | Currently, data isn't gathered to populate this field. It indicated whether the content is being expedited |
+| **DeploymentName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `My deployment` | Currently, data isn't gathered to populate this field. Friendly name of the created deployment |
+| **DeploymentRevokeTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time the update was revoked |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | Currently, data isn't gathered to populate this field. Microsoft internal global device identifier |
+| **OfferReadyTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
+| **PolicyCreatedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time the policy was created |
+| **PolicyId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9011c330-1234-5678-9abc-def012345678` | This field applies to drivers only. The policy identifier targeting the update to this device |
+| **PolicyName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `My policy` | Currently, data isn't gathered to populate this field. This field applies to drivers only. Friendly name of the policy. |
+| **ProjectedOfferReadyTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Projected time update will be offered to device. If empty, unknown. |
+| **ServiceState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Offering` | High-level state of update's status relative to device, service-side. |
+| **ServiceSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `OfferReady` | Low-level state of update's status relative to device, service-side. |
+| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Ranking of Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
+| **ServiceSubstateTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
+| **TargetVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9011c330-1234-5678-9abc-def012345678` | Microsoft Entra tenant ID |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCServiceUpdateStatus` | The entity type |
+| **UdpateIsSystemManifest** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. This field applies to drivers only. |
+| **UpdateCategory** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateDisplayName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
+| **UpdateId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. Update ID of the targeted update |
+| **UpdateManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
+| **UpdateProvider** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Update provider of drivers and firmware |
+| **UpdateRecommendedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time when the update was recommended to the device |
+| **UpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The release date of the update |
+| **UpdateVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `20.0.19.3` | This field applies to drivers only. Update version of drivers or firmware |
+| **UpdateVersionTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Update version date time stamp for drivers and firmware |
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index ba81be193a..588cbd8cb6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCUpdateAlert
@@ -20,36 +20,39 @@ Alert for both client and service updates. Contains information that needs atten
## Schema for UCUpdateAlert
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
-| **AlertData** | [string](/azure/kusto/query/scalar-data-types/string) {json} | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. |
-| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
-| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
-| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
-| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert |
-| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
-| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name |
-| **ErrorCode** | [string](/azure/kusto/query/scalar-data-types/string) | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
-| **ErrorSymName** | [string](/azure/kusto/query/scalar-data-types/string) | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft Global identifier, if available. |
-| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. |
-| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. |
-| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
-| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
+|Field |Type | ENUM |Example |Description |
+|---|---|---|---|---|
+| **AlertClassification** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Error` | Whether this alert is an error, a warning, or informational |
+| **AlertData** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. |
+| **AlertId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
+| **AlertRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | `1000` | Integer ranking of alert for prioritization during troubleshooting |
+| **AlertStatus** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Active` | Whether this alert is active, resolved, or deleted |
+| **AlertSubtype** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DiskFull` | The subtype of alert |
+| **AlertType** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields are present. |
+| **AzureADDeviceId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **ClientSubstate** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
+| **ClientSubstateRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | `2300` | Rank of ClientSubstate |
+| **DeploymentId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
+| **Description** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. |
+| **DeviceName** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | The given device's name |
+| **ErrorCode** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
+| **ErrorSymName** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. |
+| **GlobalDeviceId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:1298371934870` | Internal Microsoft Global identifier, if available. |
+| **Recommendation** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. |
+| **ResolvedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
+| **SCCMClientId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration manager client ID of the device, if available. |
+| **ServiceSubstate** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. |
+| **ServiceSubstateRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | | Rank of 'ClientSubstate' |
+| **SourceSystem** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **StartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
+| **TargetBuild** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `18363.836` | The Windows 10 Major. Revision this 'UpdateAlert' is relative to. |
+| **TargetVersion** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Windows 10 build this UpdateAlert is relative to. |
+| **TenantId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCUpdateAlert` | The entity type |
+| **UpdateCategory** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. The Update ID of the targeted update. |
+| **URL** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index 8a4fc45ecb..75cdcb5587 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/15/2022
+ms.date: 12/06/2023
---
# Windows Update for Business reports schema
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index df89fc602d..aefcd10aa4 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Configure VDA for Windows subscription activation
@@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running a supported version of Windows Pro edition.
- VMs must be joined to Active Directory or Microsoft Entra ID.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
## Activation
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 40769fc671..11b304e822 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
> [!IMPORTANT]
> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
- > [!NOTE]
- > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
If you have a PC available to convert to VM (computer 2):
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 6b8718bf68..b5fc8eb923 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -39,7 +39,15 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
@@ -239,7 +247,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index 93aeb12df6..ed02a37c7c 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -1,7 +1,7 @@
---
title: Manage Windows Autopatch groups
description: This article explains how to manage Autopatch groups
-ms.date: 07/25/2023
+ms.date: 12/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -46,7 +46,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
- Windows Autopatch – Ring2
- Windows Autopatch – Ring3
- Windows Autopatch – Last
-- Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups.
+- Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** enterprise application as the owner of these groups.
- For more information, see [assign an owner or member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Microsoft Entra groups.
- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
- Read device attributes to successfully register devices.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index eb2f5d26d5..e41d8e60f4 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -1,7 +1,7 @@
---
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 09/16/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index e68ee4d6bd..71b96ec441 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index 3b72dc6d90..fe9d6b3321 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -1,7 +1,7 @@
---
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
-ms.date: 05/15/2023
+ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 690e61a507..20c341551a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a support request
description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
-ms.date: 01/06/2023
+ms.date: 09/06/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 54d107d92d..3f0e20c935 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
- ms.date: 07/19/2023
+ ms.date: 12/04/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -28,7 +28,7 @@ sections:
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
- question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
answer: |
- Autopatch isn't available for 'A' or 'F' series licensing.
+ Autopatch isn't available for 'A'. Windows Autopatch supports some 'F' series licensing. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- question: Will Windows Autopatch support local domain join Windows 10?
answer: |
Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
@@ -54,8 +54,8 @@ sections:
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
answer: |
- - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)
+ - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only) or F3. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
+ - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for co-management)
- [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)
- question: Are there hardware requirements for Windows Autopatch?
answer: |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 043db6fb77..0e481d7a66 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 03/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 6588ea5a13..bc26753af7 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
-ms.date: 01/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 8acdf328e5..f7a2045294 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
-ms.date: 01/12/2023
+ms.date: 09/12/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index b0df16842e..f1351f3709 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 04/24/2023
+ms.date: 12/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Area | Prerequisite details |
| ----- | ----- |
-| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
|
| Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
|
|
-### Service principal
-
-Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
-
-- Modern Workplace Customer APIs
-
-
-
## Microsoft Entra groups
Windows Autopatch will create the required Microsoft Entra groups to operate the service.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index 9ece385c03..e72d9e8042 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -1,7 +1,7 @@
---
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
-ms.date: 12/02/2022
+ms.date: 09/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 24650e3a33..c47bb6418b 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 10/27/2023
+ms.date: 12/14/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -21,6 +21,27 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## December 2023
+
+### December feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Prerequisites](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | Added F SKU licenses to the [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) section. Also see [FAQ](../overview/windows-autopatch-faq.yml)
|
+
+## December service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC697414](https://admin.microsoft.com/adminportal/home#/MessageCenter) | New Feature: Alerts for Windows Autopatch policy conflicts Public Preview announcement |
+| [MC695483](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Windows Autopatch configuration update – December 2023 |
+
+## November service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance |
+
## October 2023
### October feature releases or updates
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index 211570e4b0..cb49bed653 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -1,3 +1,27 @@
-- name: Windows
- tocHref: /windows/
- topicHref: /windows/index
+items:
+ - name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: What's new
+ tocHref: /windows/whats-new/
+ topicHref: /windows/whats-new/
+ - name: Configuration
+ tocHref: /windows/configuration/
+ topicHref: /windows/configuration/
+ - name: Deployment
+ tocHref: /windows/deployment/
+ topicHref: /windows/deployment/
+ - name: Client management
+ tocHref: /windows/client-management/
+ topicHref: /windows/client-management/
+ - name: Privacy
+ tocHref: /windows/privacy/
+ topicHref: /windows/privacy/
+ - name: Security
+ tocHref: /windows/security/
+ topicHref: /windows/security/
\ No newline at end of file
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 321c0452a5..ed4832af6d 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -39,13 +39,13 @@
"tier1"
],
"audience": "ITPro",
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-fundamentals",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-hub",
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 7c0031c1e0..e651c1901d 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -10,7 +10,6 @@ metadata:
ms.topic: hub-page
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
diff --git a/windows/hub/zone-pivot-groups.yml b/windows/hub/zone-pivot-groups.yml
new file mode 100644
index 0000000000..d426e4da0f
--- /dev/null
+++ b/windows/hub/zone-pivot-groups.yml
@@ -0,0 +1,18 @@
+# YamlMime:ZonePivotGroups
+groups:
+- id: windows-versions-11-10
+ title: Windows versions
+ prompt: "Select the Windows version you want to learn about:"
+ pivots:
+ - id: windows-11
+ title: Windows 11
+ - id: windows-10
+ title: Windows 10
+- id: windows-editions-proent-proedu
+ title: Windows editions
+ prompt: "Select the Windows edition you want to learn about:"
+ pivots:
+ - id: windows-pro
+ title: Windows Pro Edu/Education
+ - id: windows-ent
+ title: Windows Pro/Enterprise
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index f4854fbb05..c7cbe8e448 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -39,9 +39,8 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-privacy",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.privacy",
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 4ac93439c6..f79b3dd872 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -1,6 +1,6 @@
---
description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
-title: Required diagnostic events and fields for Windows 11, versions 23H3 and 22H2
+title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
keywords: privacy, telemetry
ms.prod: windows-client
ms.technology: itpro-privacy
@@ -3655,4 +3655,4 @@ The following fields are available:
- **ScenarioSupported** Whether the updated scenario that was passed in was supported.
- **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update.
-- **WuId** Unique identifier for the Windows Update client.
\ No newline at end of file
+- **WuId** Unique identifier for the Windows Update client.
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index 2e4ec8b5e5..27338890ca 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -1,9 +1,6 @@
---
title: How User Account Control works
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
-ms.collection:
- - highpri
- - tier2
ms.topic: concept-article
ms.date: 05/24/2023
---
@@ -19,7 +16,7 @@ With UAC, each application that requires the *administrator access token* must p
Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
- A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
-- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
+- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web browser
Applications with lower integrity levels can't modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provides valid administrator credentials.
diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md
index aad3fb9eab..3b5e6e8561 100644
--- a/windows/security/application-security/application-control/user-account-control/index.md
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@@ -1,9 +1,6 @@
---
title: User Account Control
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
-ms.collection:
- - highpri
- - tier2
ms.topic: overview
ms.date: 05/24/2023
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
index 3815f2af27..c2302c6e47 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
@@ -146,8 +146,6 @@
href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- name: Use the AppLocker Windows PowerShell cmdlets
href: applocker\use-the-applocker-windows-powershell-cmdlets.md
- - name: Use AppLocker and Software Restriction Policies in the same domain
- href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
- name: Optimize AppLocker performance
href: applocker\optimize-applocker-performance.md
- name: Monitor app usage with AppLocker
@@ -213,8 +211,6 @@
items:
- name: Understand AppLocker policy design decisions
href: applocker\understand-applocker-policy-design-decisions.md
- - name: Determine your application control objectives
- href: applocker\determine-your-application-control-objectives.md
- name: Create a list of apps deployed to each business group
href: applocker\create-list-of-applications-deployed-to-each-business-group.md
items:
@@ -228,8 +224,6 @@
- name: Determine the Group Policy structure and rule enforcement
href: applocker\determine-group-policy-structure-and-rule-enforcement.md
items:
- - name: Understand AppLocker enforcement settings
- href: applocker\understand-applocker-enforcement-settings.md
- name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- name: Document the Group Policy structure and AppLocker rule enforcement
@@ -243,8 +237,6 @@
href: applocker\understand-the-applocker-policy-deployment-process.md
- name: Requirements for Deploying AppLocker Policies
href: applocker\requirements-for-deploying-applocker-policies.md
- - name: Use Software Restriction Policies and AppLocker policies
- href: applocker\using-software-restriction-policies-and-applocker-policies.md
- name: Create Your AppLocker policies
href: applocker\create-your-applocker-policies.md
items:
@@ -278,6 +270,8 @@
href: applocker\understanding-applocker-rule-exceptions.md
- name: Understanding AppLocker rule collections
href: applocker\understanding-applocker-rule-collections.md
+ - name: Understand AppLocker rule collection extensions
+ href: applocker\rule-collection-extensions.md
- name: Understanding AppLocker allow and deny actions on rules
href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- name: Understanding AppLocker rule condition types
@@ -315,5 +309,3 @@
items:
- name: Using Event Viewer with AppLocker
href: applocker\using-event-viewer-with-applocker.md
- - name: AppLocker Settings
- href: applocker\applocker-settings.md
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 137f9503c0..76569e20e6 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -1,18 +1,15 @@
---
title: Add rules for packaged apps to existing AppLocker rule-set
-description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
+description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Add rules for packaged apps to existing AppLocker rule-set
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
-This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
+You can create packaged app rules by updating your existing AppLocker rule set from any supported computer. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
-You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
-
-RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
+RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
index a8cc845756..ef477ce467 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
@@ -1,61 +1,56 @@
---
title: Administer AppLocker
-description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 12/19/2023
---
# Administer AppLocker
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Use audit-only mode to deploy the policy and understand its effect before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
- Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
- > **Note** For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
-
+
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
-| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
-| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
-| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
-| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
-| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
-| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
-| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
-| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
-| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
-| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
+| [Maintain AppLocker policies](maintain-applocker-policies.md) | This article describes how to maintain rules within AppLocker policies. |
+| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. |
+| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. |
+| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
+| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
+| [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. |
+| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
+| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
+| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
+| [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. |
-## Using the MMC snap-ins to administer AppLocker
+## Using the MMC snap-ins to administer AppLocker
-You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
+You can administer AppLocker policies using the Group Policy Management Console to create or edit a Group Policy Object (GPO). To create or edit an AppLocker policy on a local computer, use the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
### Administer AppLocker using Group Policy
You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
-1. Open the Group Policy Management Console (GPMC).
-2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
-3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+1. Open the Group Policy Management Console (GPMC).
+2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then select **Edit**.
+3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then select the rule collection that you want to create the rule for.
### Administer AppLocker on the local PC
-1. Click **Start**, type **local security policy**, and then click **Local Security Policy**.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+1. Select **Start**, type **local security policy**, and then select **Local Security Policy**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then select the rule collection that you want to create the rule for.
## Using Windows PowerShell to administer AppLocker
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index 93e671aff7..763fd8e86d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -1,34 +1,31 @@
---
title: AppLocker architecture and components
-description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
+description: This article for IT professional describes AppLocker’s basic architecture and its major components.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# AppLocker architecture and components
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professional describes AppLocker's basic architecture and its major components.
-This topic for IT professional describes AppLocker's basic architecture and its major components.
+AppLocker uses the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
-AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
+AppLocker provides three ways to intercept and validate if a file is allowed to run according to an AppLocker policy.
-AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy.
+## A new process is created
-**A new process is created**
+When an app file is run, a new process is created. When that happens, AppLocker calls the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run.
-When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run.
+## A DLL is loaded
-**A DLL is loaded**
+When a DLL is loaded, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.
-When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.
+## A script is run
-**A script is run**
+Before a script file is run, the script host (for example, PowerShell) calls AppLocker to verify the script. AppLocker calls the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it should run. In each case, the actions taken by AppLocker are written to the event log.
-Before a script file is run, the script host (for example, for .ps1 files, the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it's allowed to run. In each case, the actions taken by AppLocker are written to the event log.
-
-## Related topics
+## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md
index 48067e47b9..8ab68a0205 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md
@@ -1,45 +1,40 @@
---
title: AppLocker functions
-description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
+description: This article for the IT professional lists the functions and security levels for AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# AppLocker functions
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
+This article for the IT professional lists the functions and security levels for AppLocker.
## Functions
-Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2:
-
-- [SaferGetPolicyInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetpolicyinformation)
-- [SaferCreateLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercreatelevel)
-- [SaferCloseLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercloselevel)
-- [SaferIdentifyLevel Function](/windows/win32/api/winsafer/nf-winsafer-saferidentifylevel)
-- [SaferComputeTokenFromLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercomputetokenfromlevel)
-- [SaferGetLevelInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetlevelinformation)
-- [SaferRecordEventLogEntry Function](/windows/win32/api/winsafer/nf-winsafer-saferrecordeventlogentry)
-- [SaferiIsExecutableFileType Function](/windows/win32/api/winsafer/nf-winsafer-saferiisexecutablefiletype)
+- [SaferGetPolicyInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetpolicyinformation)
+- [SaferCreateLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercreatelevel)
+- [SaferCloseLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercloselevel)
+- [SaferIdentifyLevel Function](/windows/win32/api/winsafer/nf-winsafer-saferidentifylevel)
+- [SaferComputeTokenFromLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercomputetokenfromlevel)
+- [SaferGetLevelInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetlevelinformation)
+- [SaferRecordEventLogEntry Function](/windows/win32/api/winsafer/nf-winsafer-saferrecordeventlogentry)
+- [SaferiIsExecutableFileType Function](/windows/win32/api/winsafer/nf-winsafer-saferiisexecutablefiletype)
## Security level ID
-AppLocker and SRP use the security level IDs to specify the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
+AppLocker uses the security level IDs to specify the access requirements to files listed in policies. The following table shows those security levels supported in AppLocker.
-| Security level ID | SRP | AppLocker |
-| - | - | - |
-| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported |
-| SAFER_LEVELID_NORMALUSER | Supported | Not supported |
-| SAFER_LEVELID_CONSTRAINED | Supported | Not supported |
-| SAFER_LEVELID_UNTRUSTED | Supported | Not supported |
-| SAFER_LEVELID_DISALLOWED | Supported | Supported |
-
->[!Note]
->URL zone ID isn't supported in AppLocker.
+| Security level ID | AppLocker |
+| --- | --- |
+| SAFER_LEVELID_FULLYTRUSTED | Supported |
+| SAFER_LEVELID_NORMALUSER | Not supported |
+| SAFER_LEVELID_CONSTRAINED | Not supported |
+| SAFER_LEVELID_UNTRUSTED | Not supported |
+| SAFER_LEVELID_DISALLOWED | Supported |
+
+> [!NOTE]
+> URL zone ID isn't supported in AppLocker.
## Related articles
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index 7c130ac1f2..ffd2a32a70 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -2,46 +2,44 @@
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.collection:
-- highpri
- tier3
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 06/07/2023
+ms.date: 12/19/2023
---
# AppLocker
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control.
> [!NOTE]
-> AppLocker is unable to control processes running under the system account on any operating system.
+> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+
+> [!NOTE]
+> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement).
AppLocker can help you:
- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Use audit-only mode to deploy the policy and understand its effect before enforcing it.
- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
-- Simplify creating and managing AppLocker rules by using Windows PowerShell.
+- Create and manage AppLocker rules by using Windows PowerShell.
-AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
+AppLocker helps prevent users from running unapproved apps. AppLocker addresses the following app control scenarios:
-- **Application inventory**: AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+- **Application inventory**: AppLocker has the ability to apply its policy in an audit-only mode where all app launch activity is allowed but registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
- **Protection against unwanted software**: AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
- **Licensing conformance**: AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
- **Software standardization**: AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
-- **Manageability improvement**: AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
## When to use AppLocker
In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
-However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user runs unauthorized software, including malware. AppLocker helps mitigate these types of security issues by restricting the files that users or groups are allowed to run. Because AppLocker can control DLLs and scripts, it's also useful to control who can install and run ActiveX controls.
AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
@@ -50,21 +48,18 @@ The following are examples of scenarios in which AppLocker can be used:
- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
-- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
+- The license to an app is revoked or expired in your organization, so you need to prevent it from being used by everyone.
- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
- Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
- A single user or small group of users needs to use a specific app that is denied for all others.
-- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+- Some people in your organization who require different software share a computer, and you need to protect specific apps.
- In addition to other measures, you need to control the access to sensitive data through app usage.
-> [!NOTE]
-> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
-
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
## Installing AppLocker
-AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
+AppLocker is included with all editions of Windows except Windows 10 version 1809 or earlier. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
> [!NOTE]
> GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
@@ -75,15 +70,15 @@ AppLocker on Server Core installations isn't supported.
### Virtualization considerations
-You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
+You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you risk losing the policies that you create and maintain if the virtualized instance is removed or fails.
### Security considerations
Application control policies specify which apps are allowed to run on the local computer. The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
-The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
+The countermeasure is to create a sound design for your application control policies on PCs in your organization. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
-A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it's important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
+A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. You should thoroughly test the policies in a lab environment before you deploy them in production. It's also important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). When you use AppLocker to create application control policies, you should be aware of the following security considerations:
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index 3e609e4176..cb437f92b7 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -1,47 +1,36 @@
---
title: AppLocker deployment guide
-description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
+description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# AppLocker deployment guide
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
-This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
-
-This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It's intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.
-
-This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. By creating, testing, and maintaining your application control policies through a sequential and iterative deployment process, you can adapt to the changing needs of your organization.
## Prerequisites to deploying AppLocker policies
The following are prerequisites or recommendations to deploying policies:
-- Understand the capabilities of AppLocker:
- - [AppLocker](applocker-overview.md)
-- Document your application control policy deployment plan by addressing these tasks:
- - [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
- - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
- - [Determine your application control objectives](determine-your-application-control-objectives.md)
- - [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
- - [Select types of rules to create](select-types-of-rules-to-create.md)
- - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
- - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-
-## Contents of this guide
-
-This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+- Understand the capabilities of AppLocker:
+ - [AppLocker](applocker-overview.md)
+- Document your application control policy deployment plan by addressing these tasks:
+ - [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+ - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+ - [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+ - [Select types of rules to create](select-types-of-rules-to-create.md)
+ - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+ - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
## In this section
-| Topic | Description |
-| - | - |
-| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. |
-| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. |
-| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
-| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
-| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
+| Article | Description |
+| --- | --- |
+| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. |
+| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. |
+| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
+| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index 56a059df6a..0299b53b2a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -1,33 +1,28 @@
---
title: AppLocker design guide
-description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
+description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# AppLocker design guide
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
-This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
+This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group.
-This guide provides important designing and planning information for deploying application control policies by using AppLocker. It's intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group.
+To understand if AppLocker is the correct application control solution for your organization, see [Windows Defender Application Control and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview).
-This guide doesn't cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md).
-
-To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
## In this section
-| Topic | Description |
-| - | - |
-| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. |
-| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. |
-| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
-| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
-| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you're planning to deploy AppLocker rules. |
-| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
+| Article | Description |
+| --- | --- |
+| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. |
+| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. |
+| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
+| [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. |
+| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. |
+| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
-
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 7657e480fa..a2776beaac 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -1,56 +1,50 @@
---
title: AppLocker policy use scenarios
-description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
+description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# AppLocker policy use scenarios
-> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
-This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
+AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker include:
-AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows:
+1. **App inventory**
-1. **App inventory**
+ AppLocker can apply its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access.
- AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access.
+2. **Protection against unwanted software**
-2. **Protection against unwanted software**
+ AppLocker can block apps from running simply by excluding them from the list of allowed apps per business group or user. Any app not allowed by your policy based on its publisher, installation path, or file hash, is blocked.
- AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app isn't identified by its publisher, installation path, or file hash, the attempt to run the application fails.
+3. **Licensing conformance**
-3. **Licensing conformance**
+ With AppLocker's app inventory described earlier, you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
- AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
+4. **Software standardization**
-4. **Software standardization**
+ AppLocker policies can allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
- AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
-
-5. **Manageability improvement**
-
- AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
-
-### Use scenarios
+## Use scenarios
The following are examples of scenarios in which AppLocker can be used:
-- Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
-- The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed.
-- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps aren't licensed or prevent unauthorized users from running licensed software.
-- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
-- Your organization needs to restrict the use of Universal Windows apps to just those apps your organization approves of or develops.
-- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
-- The license to an app has been revoked or is expired in your organization, so you need to prevent it from being used by everyone.
-- A new app or a new version of an app is deployed, and you need to allow certain groups to use it.
-- Specific software tools aren't allowed within the organization, or only specific users have access to those tools.
-- A single user or small group of users needs to use a specific app that is denied for all others.
-- Some computers in your organization are shared by people who have different software usage needs.
-- In addition to other measures, you need to control the access to sensitive data through app usage.
+- Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
+- Your security policy for application usage changed, and you need to evaluate where and when those deployed apps are being accessed.
+- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps aren't licensed or prevent unauthorized users from running licensed software.
+- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+- Your organization needs to restrict the use of Universal Windows apps to just those apps your organization approves of or develops.
+- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+- The license to an app is revoked or expired in your organization, so you need to prevent it from being used by everyone.
+- A new app or a new version of an app is deployed, and you need to allow certain groups to use it.
+- Specific software tools aren't allowed within the organization, or only specific users have access to those tools.
+- A single user or small group of users needs to use a specific app that is denied for all others.
+- Some people who need access to different apps share computers in your organization.
+- In addition to other measures, you need to control the access to sensitive data through app usage.
+
+## Related articles
-## Related topics
- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index 567b3bafc5..36cd302f29 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -1,9 +1,9 @@
---
title: AppLocker processes and interactions
-description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
+description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# AppLocker processes and interactions
@@ -11,85 +11,85 @@ ms.date: 09/21/2017
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
+This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
-## How policies are implemented by AppLocker
+## How AppLocker applies policies
-AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure.
+AppLocker policies are collections of rules that might contain any one of the enforcement mode settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure.
-The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service isn't running, policies won't be enforced. The Application Identity service returns the information from the binary -even if product or binary names are empty- to the results pane of the Local Security Policy snap-in.
+The AppLocker policy is enforced on a computer through the Application Identity service (appid.sys), which is the engine that evaluates the policies and runs within the Windows kernel. If the service isn't running, policies aren't enforced. The Application Identity service returns the information from the binary -even if product or binary names are empty- to the results pane of the Local Security Policy snap-in.
AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information:
-- Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form).
-- The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.)
-- The rule condition containing the **appid** attributes.
+- Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form).
+- The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID in SDDL.)
+- The rule condition containing the **appid** attributes.
-For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*").
+For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: `XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*")`.
-An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made.
+Appid.sys reads and caches the effective AppLocker policy for DLLs and executable files. Whenever a new policy is applied, a policy converter task notifies appid.sys. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made.
-### Understanding AppLocker rules
+## Understanding AppLocker rules
-An AppLocker rule is a control placed on a file to govern whether or not it's allowed to run for a specific user or group. Rules apply to five different types, or collections, of files:
+An AppLocker rule is a control placed on a file that controls whether or not it runs for a specific user or group. You create AppLocker rules for five different types of files, or collections:
-- An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications.
-- A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js.
-- A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, .mst and .msp (Windows Installer patch).
-- A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx.
-- A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension.
+- An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications.
+- A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js.
+- A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, .mst and .msp (Windows Installer patch).
+- A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx.
+- A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension.
There are three different types of conditions that can be applied to rules:
-- A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed.
-- A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories.
-- A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes.
+- A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed.
+- A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories.
+- A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes.
-- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps.
-- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
- - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
- - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
- - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
-- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+ - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+ - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+ - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
- - [Executable rules in AppLocker](executable-rules-in-applocker.md)
- - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
- - [Script rules in AppLocker](script-rules-in-applocker.md)
- - [DLL rules in AppLocker](dll-rules-in-applocker.md)
- - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
-- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+ - [Executable rules in AppLocker](executable-rules-in-applocker.md)
+ - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+ - [Script rules in AppLocker](script-rules-in-applocker.md)
+ - [DLL rules in AppLocker](dll-rules-in-applocker.md)
+ - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
- You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset.
+ You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset.
-- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
Each AppLocker rule collection functions as an allowed list of files.
-### Understanding AppLocker policies
+## Understanding AppLocker policies
-An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers.
+An AppLocker policy is a set of rule collections and their corresponding configured enforcement mode settings applied to one or more computers.
-- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced.
-### Understanding AppLocker and Group Policy
+## Understanding AppLocker and Group Policy
Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies.
-- [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+- [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
- When Group Policy is used to distribute AppLocker policies, rule collections that aren't configured will be enforced. Group Policy doesn't overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules.
- AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied.
+ When Group Policy is used to distribute AppLocker policies, rule collections containing one or more rules are enforced unless the enforcement mode is set to **Audit only**. Group Policy doesn't overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules.
+ AppLocker processes explicit deny rules before any allow rules, and for rule enforcement, the last write to the GPO is applied.
-## Related topics
+## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md
deleted file mode 100644
index 956c1904a8..0000000000
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: AppLocker settings
-description: This topic for the IT professional lists the settings used by AppLocker.
-ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 09/21/2017
----
-
-# AppLocker settings
-
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional lists the settings used by AppLocker.
-
-The following table describes the settings and values used by AppLocker.
-
-| Setting | Value |
-| - | - |
-| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** |
-| Firewall ports | Not applicable |
-| Security policies | Custom created, no default |
-| Group Policy settings | Custom created, no default |
-| Network ports | Not applicable |
-| Service accounts | Not applicable |
-| Performance counters | Not applicable |
-
-## Related topics
-
-- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md
index 8f8b29113c..0952a3d433 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -1,30 +1,26 @@
---
title: AppLocker technical reference
-description: This overview topic for IT professionals provides links to the topics in the technical reference.
+description: This overview article for IT professionals provides links to the articles in the technical reference.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# AppLocker technical reference
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This overview topic for IT professionals provides links to the topics in the technical reference.
-AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
+This overview article for IT professionals provides links to the articles in the technical reference.
+AppLocker lets you create rules to allow or deny apps from running based on information about the apps' files. You can specify unique rules for different users or groups to control who can run those apps.
## In this section
-| Topic | Description |
-| - | - |
-| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. |
-| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
-| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
-| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
-| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker's basic architecture and its major components. |
-| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
-| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. |
-| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. |
-| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. |
-| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |
+| Article | Description |
+| --- | --- |
+| [What Is AppLocker?](what-is-applocker.md) | This article for the IT professional describes what AppLocker is. |
+| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
+| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
+| [How AppLocker works](how-applocker-works-techref.md) | This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. |
+| [AppLocker architecture and components](applocker-architecture-and-components.md) | This article for IT professional describes AppLocker's basic architecture and its major components. |
+| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
+| [AppLocker functions](applocker-functions.md) | This article for the IT professional lists the functions and security levels for AppLocker. |
+| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This article for the IT professional describes the security considerations you need to address when implementing AppLocker. |
+| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This article for the IT professional describes the tools available to create and administer AppLocker policies. |
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 6e62bb3ccd..b6654f9688 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -1,27 +1,24 @@
---
title: Configure an AppLocker policy for audit only
-description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
+description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 06/08/2018
+ms.date: 12/21/2023
---
# Configure an AppLocker policy for audit only
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
-This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
+After AppLocker rules are created within the rule collection, you can configure the enforcement mode setting to **Enforce rules** or **Audit only**.
-After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
+When AppLocker policy enforcement mode is set to **Enforce rules**, rules are enforced for the rule collection and all events are logged to the AppLocker event logs for that rule collection. When AppLocker policy enforcement mode is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker event logs.
-When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
-
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To audit rule collections**
+## To audit rule collections
-1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
-2. On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection.
-3. Repeat the above step to configure the enforcement setting to **Audit only** for additional rule collections.
-4. Click **OK**.
+1. From the AppLocker console, right-click **AppLocker**, and then select **Properties**.
+2. On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection.
+3. Repeat the above step to configure the enforcement setting to **Audit only** for other rule collections.
+4. Select **OK**.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 5ee7082a7e..5762b9c128 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -1,28 +1,26 @@
---
title: Configure an AppLocker policy for enforce rules
-description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Configure an AppLocker policy for enforce rules
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes the steps to enable the AppLocker policy enforcement mode setting.
-This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+> [!NOTE]
+> When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are logged to the AppLocker event logs.
->**Note:** When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
-
For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To enable the Enforce rules enforcement setting**
+## To enable the Enforce rules enforcement setting
-1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
-2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you're editing, and then verify that **Enforce rules** is selected.
-3. Click **OK**.
+1. From the AppLocker console, right-click **AppLocker**, and then select **Properties**.
+2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you're editing, and then verify that **Enforce rules** is selected.
+3. Select **OK**.
For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index ff055ce7c2..3e1a1dcca4 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -1,30 +1,27 @@
---
title: Add exceptions for an AppLocker rule
-description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Add exceptions for an AppLocker rule
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To configure exceptions for a rule**
+## To configure exceptions for a rule
-1. Open the AppLocker console.
-2. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click **Properties**.
-3. Click the **Exceptions** tab.
-4. In the **Add exception** box, select the rule type that you want to create, and then click **Add**.
+1. Open the AppLocker console.
+2. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then select **Properties**.
+3. Select the **Exceptions** tab.
+4. In the **Add exception** box, select the rule type that you want to create, and then select **Add**.
- - For a publisher exception, click **Browse**, select the file that contains the publisher to exclude, and then click **OK**.
- - For a path exception, choose the file or folder path to exclude, and then click **OK**.
- - For a file hash exception, edit the file hash rule, and click **Remove**.
- - For a packaged apps exception, click **Add** to create the exceptions based on reference app and rule scope.
+ - For a publisher exception, select **Browse**, select the file that contains the publisher to exclude, and then select **OK**.
+ - For a path exception, choose the file or folder path to exclude, and then select **OK**.
+ - For a file hash exception, edit the file hash rule, and select **Remove**.
+ - For a packaged apps exception, select **Add** to create the exceptions based on reference app and rule scope.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index eb422a3a03..9ad52b4cd3 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -1,44 +1,42 @@
---
title: Configure the AppLocker reference device
-description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
+description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# Configure the AppLocker reference device
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
+This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
An AppLocker reference device that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference device, you can:
-- Maintain an application list for each business group.
-- Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules.
-- Create the default rules to allow the Windows system files to run properly.
-- Run tests and analyze the event logs to determine the effect of the policies that you intend to deploy.
+- Maintain an application list for each business group.
+- Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules.
+- Create the default rules to allow the Windows system files to run properly.
+- Run tests and analyze the event logs to determine the effect of the policies that you intend to deploy.
The reference device doesn't need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
->**Warning:** Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
-
-**To configure a reference device**
+> [!WARNING]
+> Don't use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies won't work as expected.
-1. If the operating system isn't already installed, install one of the supported editions of Windows on the device.
+## To configure a reference device
- >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
-
-2. Configure the administrator account.
+1. If the operating system isn't already installed, install one of the supported editions of Windows on the device.
- To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO).
+ >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device.
-3. Install all apps that run in the targeted business group or OU by using the same directory structure.
+2. Configure the administrator account.
+
+ To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have delegated privileges to use Group Policy to update a Group Policy Object (GPO).
+
+3. Install all apps that run in the targeted business group or OU by using the same directory structure.
The reference device should be configured to mimic the structure of your production environment. It depends on having the same apps in the same directories to accurately create the rules.
### See also
-- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md).
-- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md).
+- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index 628b5cd559..ab3f97c501 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -1,44 +1,42 @@
---
title: Configure the Application Identity service
-description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
+description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 07/01/2021
+ms.date: 12/22/2023
---
# Configure the Application Identity service
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals shows how to configure the Application Identity service to start automatically or manually.
-This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
+The Application Identity service determines and verifies the identity of an app. Stopping this service prevents AppLocker policies from being enforced.
-The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.
+> [!IMPORTANT]
+> When using Group Policy, you must configure the Application Identity service to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
->**Important:** When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
-
-**To start the Application Identity service automatically using Group Policy**
+## To start the Application Identity service automatically using Group Policy
-1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
-2. Locate the GPO to edit, right-click the GPO, and then click **Edit**.
-3. In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, click **System Services**.
-4. In the details pane, double-click **Application Identity**.
-5. In **Application Identity Properties**, configure the service to start automatically.
+1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
+2. Locate the GPO to edit, right-click the GPO, and then select **Edit**.
+3. In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, select **System Services**.
+4. In the details pane, double-click **Application Identity**.
+5. In **Application Identity Properties**, configure the service to start automatically.
Membership in the local **Administrators** group, or equivalent, is the minimum access required to complete this procedure.
-**To start the Application Identity service manually**
+## To start the Application Identity service manually
-1. Right-click the taskbar, and click **Task Manager**.
-2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
-3. Verify that the status for the Application Identity service is **Running**.
+1. Right-click the taskbar, and select **Task Manager**.
+2. Select the **Services** tab, right-click **AppIDSvc**, and then select **Start Service**.
+3. Verify that the status for the Application Identity service is **Running**.
-Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead:
+Starting with Windows 10, the Application Identity service is now a protected process. As a result, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead:
- Open an elevated command prompt or PowerShell session and type:
```powershell
- sc.exe config appidsvc start= auto
+ sc.exe config appidsvc start=auto
```
- Create a security template that configures appidsvc to be automatic start, and apply it using secedit.exe or LGPO.exe.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index aafae9fa2d..6f06404070 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -3,51 +3,48 @@ title: Create a rule for packaged apps
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Create a rule for packaged apps
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
-Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it's possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows doesn't support unsigned packaged apps, which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
+Packaged apps are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it's possible to control the entire app using a single AppLocker rule as opposed to unpackaged apps where each file within the app could have a unique identity. All packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
-- Publisher of the package
-- Package name
-- Package version
+- Publisher of the package
+- Package name
+- Package version
-All the files within a package and the package installers share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation and the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups.
+All the files within a package and the package installers share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation and the running of the app. Otherwise, the publisher rules for packaged apps behave the same as in other rule collections.
For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To create a packaged app rule**
+## To create a packaged app rule
-1. Open the AppLocker console.
-2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
-3. On the **Before You Begin** page, select **Next**.
-4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
-5. On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
+1. Open the AppLocker console.
+2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
+3. On the **Before You Begin** page, select **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
+5. On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
- |Selection|Description|Example|
- |--- |--- |--- |
- |**Use an installed packaged app as a reference**|If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.|You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you're creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.|
- |**Use a packaged app installer as a reference**|If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.|
+ | Selection | Description | Example |
+ | --- | --- | --- |
+ | **Use an installed packaged app as a reference** | If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule. | You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you're creating the rule, so you choose this option. Then select the app from the list of apps installed on the computer and create the rule using this app as a reference. |
+ | **Use a packaged app installer as a reference** | If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company develops many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule. |
The following table describes setting the scope for the packaged app rule.
- |Selection|Description|Example|
- |--- |--- |--- |
- |Applies to **Any publisher**|This setting is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install.
Conversely, if this setting is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.|
- |Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
- |Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
- |Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
- |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding "Microsoft.Bing*" as the Package name. |
+ | Selection | Description | Example |
+ | --- | --- | --- |
+ | Applies to **Any publisher** | This setting is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install.
Conversely, if this setting is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app. |
+ | Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
+ | Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
+ | Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
+ | Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding "Microsoft.Bing*" as the Package name. |
-6. Select **Next**.
-7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
-8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.
+6. Select **Next**.
+7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
+8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index e1c48949a8..a486b03055 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -1,35 +1,32 @@
---
title: Create a rule that uses a file hash condition
-description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Create a rule that uses a file hash condition
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
-This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
-
-File hash rules use a system-computed cryptographic hash of the identified file.
+File hash rules use a system-computed Authenticode cryptographic hash of the identified file.
For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer
-AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To create a new rule with a file hash condition**
+## To create a new rule with a file hash condition
-1. Open the AppLocker console, and then click the rule collection that you want to create the rule for.
-2. On the **Action** menu, click **Create New Rule**.
-3. On the **Before You Begin** page, click **Next**.
-4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
-5. On the **Conditions** page, select the **File hash** rule condition, and then click **Next**.
-6. **Browse Files** to locate the targeted application file.
+1. Open the AppLocker console, and then select the rule collection that you want to create the rule for.
+2. On the **Action** menu, select **Create New Rule**.
+3. On the **Before You Begin** page, select **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
+5. On the **Conditions** page, select the **File hash** rule condition, and then select **Next**.
+6. **Browse Files** to locate the targeted application file.
- >**Note:** You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
-
-7. Click **Next**.
-8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+ > [!NOTE]
+ > You can also select **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, select the **Remove** button.
+
+7. Select **Next**.
+8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index c6c0413c43..c90bf8fe32 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -1,37 +1,36 @@
---
title: Create a rule that uses a path condition
-description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+description: This article for IT professionals shows how to create an AppLocker rule with a path condition.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Create a rule that uses a path condition
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+This article for IT professionals shows how to create an AppLocker rule with a path condition.
The path condition identifies an app by its location in the file system of the computer or on the network.
->**Important:** When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
-
+> [!IMPORTANT]
+> When creating Deny rules, path conditions are less effective for preventing access to a file because a user (or malware acting as the user) could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
+
For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To create a new rule with a path condition**
+## To create a new rule with a path condition
-1. Open the AppLocker console, and then click the rule collection that you want to create the rule for.
-2. On the **Action** menu, click **Create New Rule**.
-3. On the **Before You Begin** page, click **Next**.
-4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
-5. On the **Conditions** page, select the **Path** rule condition, and then click **Next**.
-6. Click **Browse Files** to locate the targeted folder for the app.
+1. Open the AppLocker console, and then select the rule collection that you want to create the rule for.
+2. On the **Action** menu, select **Create New Rule**.
+3. On the **Before You Begin** page, select **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
+5. On the **Conditions** page, select the **Path** rule condition, and then select **Next**.
+6. Select **Browse Files** to locate the targeted folder for the app.
- >**Note:** When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
-
-7. Click **Next**.
-8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
-9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+ > [!NOTE]
+ > When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
+7. Select **Next**.
+8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Select **Next**.
+9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 193299df1c..8da8f1de23 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -1,34 +1,31 @@
---
title: Create a rule that uses a publisher condition
-description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Create a rule that uses a publisher condition
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
-This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+You can use publisher conditions only for files that are digitally signed. The publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, might contain the name of the product and the version number of the app binary. The publisher might be a software development company, such as Microsoft, or the information technology department of your organization.
-You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization.
-Packaged app rules are by definition rules that use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
+Packaged app rules always use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer
-AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-**To create a new rule with a publisher condition**
+## To create a new rule with a publisher condition
-1. Open the AppLocker console, and then click the rule collection that you want to create the rule for.
-2. On the **Action** menu, click **Create New Rule**.
-3. On the **Before You Begin** page, click **Next**.
-4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
-5. On the **Conditions** page, select the **Publisher** rule condition, and then click **Next**.
-6. On the **Publisher** page, click **Browse** to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the **Use custom values** check box. For example, you can use the asterisk (\*) wildcard character within a publisher rule to specify that any value should be matched.
-7. Click **Next**.
-8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
-9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+1. Open the AppLocker console, and then select the rule collection that you want to create the rule for.
+2. On the **Action** menu, select **Create New Rule**.
+3. On the **Before You Begin** page, select **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
+5. On the **Conditions** page, select the **Publisher** rule condition, and then select **Next**.
+6. On the **Publisher** page, select **Browse** to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the **Use custom values** check box. For example, you can use the asterisk (\*) wildcard character within a publisher rule to specify that any value should be matched.
+7. Select **Next**.
+8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Select **Next**.
+9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md
index 98493d5656..b6ddfb364e 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -1,31 +1,28 @@
---
title: Create AppLocker default rules
-description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Create AppLocker default rules
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
-This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
-
-AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
+The AppLocker wizard can generate default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
> [!IMPORTANT]
> You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
-
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
-**To create default rules**
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-1. Open the AppLocker console.
-2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
-3. Click **Create Default Rules**.
+## To create default rules
-## Related topics
+1. Open the AppLocker console.
+2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
+3. Select **Create Default Rules**.
+
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 5e8d7b6735..de0b5c522f 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -1,66 +1,62 @@
---
title: Create a list of apps deployed to each business group
-description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
+description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
-# Create a list of apps deployed to each business group
+# Gathering app usage requirements
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
+This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
## Determining app usage
For each business group, determine the following information:
-- The complete list of apps used, including different versions of an app
-- The full installation path of the app
-- The publisher and signed status of each app
-- The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control.
-- A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who can't provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials.
+- The complete list of apps used, including different versions of an app.
+- The full installation path of the app.
+- The publisher and signed status of each app.
+- The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control.
### How to perform the app usage assessment
-You might already have a method in place to understand app usage for each business group. You'll need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate
-Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection.
+You might already have a method in place to understand app usage for each business group. You need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection.
-**Application inventory methods**
+#### Application inventory methods
Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This requirement might mean more work in setting up the reference computer and determining a maintenance policy for that computer.
-Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
+Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can evaluate the possible effects of enforcement on computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
> [!TIP]
> If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.
-You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.
-
-The following topics describe how to perform each method:
-- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
-- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+You can create an inventory of Packaged apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.
+
+The following articles describe how to perform each method:
+
+- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
### Prerequisites to completing the inventory
-Identify the business group and each organizational unit (OU) within that group to which you'll apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics:
+Identify the business group and each organizational unit (OU) within that group for application control policies. In addition, you should identify whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following articles:
-- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
-- [Determine your application control objectives](determine-your-application-control-objectives.md)
+- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+- [Determine your application control objectives](determine-your-application-control-objectives.md)
## Next steps
-Identify and develop the list of apps. Record the name of the app, whether it's signed or not as indicated by the publisher's name, and whether or not it's a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For more information, see [Document your app list](document-your-application-list.md).
+Identify and develop the list of apps. Record the name of the app, its publisher, and how critical the application is. Record the installation path of the apps. For more information, see [Document your app list](document-your-application-list.md).
-After you've created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled:
+After you create the list of apps, the next step is to identify the rules to create so these apps can run. This information can be added to the table under columns labeled:
-- Use default rule or define new rule condition
-- Allow or deny
-- GPO name
+- Use default rule or define new rule condition
+- Allow or deny
+- GPO name
-For guidance, see the following topics:
+For guidance, see the following articles:
-- [Select the types of rules to create](select-types-of-rules-to-create.md)
-- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+- [Select the types of rules to create](select-types-of-rules-to-create.md)
+- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md
index 861bf58502..1b14478169 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -1,40 +1,36 @@
---
title: Create Your AppLocker policies
-description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
+description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Create Your AppLocker policies
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
-This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
-
-Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection can be configured to be enforced or to run in **Audit only** mode. An AppLocker policy includes the rules in the five rule collections and the enforcement settings for each rule collection.
+Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection is configured to enforce or to audit only. An AppLocker policy includes the rules in the five rule collections and the enforcement mode settings for each rule collection.
## Step 1: Use your plan
-You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to develop this policy and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group:
+You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to develop this policy and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following articles to help you create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group:
-1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
-2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
-3. [Determine your application control objectives](determine-your-application-control-objectives.md)
-4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
-5. [Select the types of rules to create](select-types-of-rules-to-create.md)
-6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+3. [Determine your application control objectives](determine-your-application-control-objectives.md)
+4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+5. [Select the types of rules to create](select-types-of-rules-to-create.md)
+6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
## Step 2: Create your rules and rule collections
-Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md).
+Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or by using the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md).
## Step 3: Configure the enforcement setting
-An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it's set to **Not configured**, all the rules in that
-policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+An AppLocker policy is a set of rule collections that are configured with a rule enforcement mode setting. The enforcement mode setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker rule collection has at least one rule, and is set to **Not configured**, the rules in that rule collection are enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
## Step 4: Update the GPO
@@ -49,15 +45,16 @@ In a test environment or with the enforcement setting set at **Audit only**, ver
Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value-**Enforce rules** or **Audit only**.
## Step 7: Test the effect of the policy and adjust
+
Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. For information on how to do these tasks, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
## Next steps
-Follow the steps described in the following topics to continue the deployment process:
+Follow the steps described in the following articles to continue the deployment process:
-1. [Create Your AppLocker rules](create-your-applocker-rules.md)
-2. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
-3. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+1. [Create Your AppLocker rules](create-your-applocker-rules.md)
+2. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+3. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
## See also
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md
index c32cbf3af1..e04367462f 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -1,71 +1,67 @@
---
title: Create Your AppLocker rules
-description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
+description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Create Your AppLocker rules
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
+This article for the IT professional describes what you need to know about AppLocker rules and the methods used to create rules.
## Creating AppLocker rules
-AppLocker rules apply to the targeted app, and they're the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+AppLocker rules control what apps run in your organization. Depending on the complexity of your organization's application requirements, managing these application control rules can be time-consuming and error prone. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md).
### Automatically generate your rules
-You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics:
+You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating rules for all installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following articles:
-- [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
-- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
-- [Create AppLocker default rules](create-applocker-default-rules.md)
-- [Edit AppLocker rules](edit-applocker-rules.md)
-- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+- [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
+- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+- [Create AppLocker default rules](create-applocker-default-rules.md)
+- [Edit AppLocker rules](edit-applocker-rules.md)
+- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
### Create your rules individually
-You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you're targeting a few applications within a business group.
+Creating rules individually might be best when you're managing a few applications within a business group.
+
+> [!NOTE]
+> The AppLocker wizards can generate default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
->**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
-
For information about performing this task, see:
-1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
-2. [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
-3. [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
-4. [Edit AppLocker rules](edit-applocker-rules.md)
-5. [Enforce AppLocker rules](enforce-applocker-rules.md)
-6. [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+2. [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+3. [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+4. [Edit AppLocker rules](edit-applocker-rules.md)
+5. [Enforce AppLocker rules](enforce-applocker-rules.md)
+6. [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
## About selecting rules
-AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they're implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer.
-
-When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group.
+AppLocker policies are composed of rules to allow or deny specific app files. These rules are grouped into rule collections, and they're implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer.
For info about how to determine and document your AppLocker rules, see [AppLocker Design Guide](applocker-policies-design-guide.md).
-For info about AppLocker rules and AppLocker policies, see the following topics:
+For info about AppLocker rules and AppLocker policies, see the following articles:
-- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
-- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
-- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
-- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
-- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
-- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
## Next steps
-1. [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
-2. [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
-3. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
-4. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+1. [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
+2. [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
+3. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+4. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
-## Related topics
+## Related articles
- [Create Your AppLocker policies](create-your-applocker-policies.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index b531465cdc..0c7ba5799c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -3,21 +3,18 @@ title: Delete an AppLocker rule
description: This article for IT professionals describes the steps to delete an AppLocker rule.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 03/10/2023
+ms.date: 12/21/2023
---
# Delete an AppLocker rule
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
This article for IT professionals describes the steps to delete AppLocker rules.
As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running.
For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
These steps apply only for locally managed devices. Any AppLocker policies delivered through MDM or Group Policy must be removed using those tools.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 4a3fe25421..e237fc6361 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -1,21 +1,18 @@
---
title: Deploy AppLocker policies by using the enforce rules setting
-description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
---
# Deploy AppLocker policies by using the enforce rules setting
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
## Background and prerequisites
-These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
+These procedures assume that your AppLocker policies are deployed with the enforcement mode set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
@@ -23,18 +20,18 @@ For info about how to plan an AppLocker policy deployment, see [AppLocker Design
## Step 1: Retrieve the AppLocker policy
-Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+Updating an AppLocker policy that is currently enforced in your production environment can cause unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on a reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
## Step 2: Alter the enforcement setting
-Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
## Step 3: Update the policy
You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) feature from the Microsoft Desktop Optimization Pack.
> [!CAUTION]
-> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior.
For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
@@ -46,4 +43,4 @@ When a policy is deployed, it's important to monitor the actual implementation o
## Other resources
-- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index da372fd5b0..d2ef52adad 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -1,42 +1,39 @@
---
title: Deploy the AppLocker policy into production
-description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
+description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Deploy the AppLocker policy into production
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
-This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
+After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you're ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement mode setting from **Audit only** to **Enforce rules** for a rule collection. Be sure to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement mode settings for linked GPOs.
-After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs.
-
-### Understand your design decisions
+## Understand your design decisions
Before you deploy an AppLocker policy, you should determine:
-- For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
-- How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md).
-- How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
-- Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
+- For each business group, which applications to control and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+- How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md).
+- How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+- Your GPO structure, including how to include AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
-### AppLocker deployment methods
+## AppLocker deployment methods
-If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then
-observe the events that are generated.
-- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+If you configure a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated.
- This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means.
+- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-- [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+ This article describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means.
- This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**.
+- [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+
+ This article describes the steps to deploy the AppLocker policy by changing the enforcement mode setting to **Audit only** or to **Enforce rules**.
## See also
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 8c8842e5ae..fb13e22d88 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -1,31 +1,28 @@
---
title: Determine the Group Policy structure and rule enforcement
-description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules.
+description: This overview article describes the process to follow when you're planning to deploy AppLocker rules.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Determine the Group Policy structure and rule enforcement
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This overview topic describes the process to follow when you're planning to deploy AppLocker rules.
+This overview article describes the process to follow when you're planning to deploy AppLocker rules.
## In this section
-| Topic | Description |
-| - | - |
-| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. |
-| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.|
-| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. |
-
-When you're determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following points:
+| Article | Description |
+| --- | --- |
+| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This article describes the AppLocker enforcement settings for rule collections. |
+| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.|
+| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning article describes what you need to investigate, determine, and document for your policy plan when you use AppLocker. |
-- Whether you're creating new GPOs or using existing GPOs
-- Whether you're implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO
-- GPO naming conventions
-- GPO size limits
+When determining how many Group Policy Objects (GPOs) to create for managing AppLocker policy in your organization, you should consider the following points:
->**Note:** There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
+- Whether you're creating new GPOs or using existing GPOs
+- GPO naming conventions
+- GPO size limits
+
+> [!NOTE]
+> There is no fixed limit on the number of AppLocker rules that you can create. However, GPOs have a 100 MB size limit.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index a654dfc5f7..56fef83f74 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -1,31 +1,29 @@
---
title: Find digitally signed apps on a reference device
-description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
+description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# Determine which apps are digitally signed on a reference device
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
+This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device doesn't need to be joined to the domain.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
-**To determine which apps are digitally signed on a reference device**
-1. Run **Get-AppLockerFileInformation** with the appropriate parameters.
+## To determine which apps are digitally signed on a reference device
- The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information.
+1. Run **Get-AppLockerFileInformation** with the appropriate parameters.
-2. Analyze the publisher's name and digital signature status from the output of the command.
+ The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log might not contain all of these fields. Files that aren't signed don't have any publisher information.
+
+2. Analyze the publisher's name and digital signature status from the output of the command.
For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460961(v=technet.10)).
-## Related topics
+## Related articles
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
deleted file mode 100644
index b52c32d46b..0000000000
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Determine your application control objectives
-description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
-ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 09/21/2017
----
-
-# Determine your application control objectives
-
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
-
-AppLocker is effective for organizations with app restriction requirements whose environments have a simple topography and whose application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is a detailed level of control on the PCs they manage for a relatively small number of apps.
-
-There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.
-
-Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.
-
-|Application control function|SRP|AppLocker|
-|--- |--- |--- |
-|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).|
-|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.
AppLocker permits customization of error messages to direct users to a Web page for help.|
-|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
-|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the "allowlist mode" such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.|
-|File types that can be controlled|SRP can control the following file types:
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
AppLocker maintains a separate rule collection for each of the five file types.|
-|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
Internet zone|AppLocker supports three types of rules:
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
-|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
-|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as "Allow everything from Windows except for Regedit.exe".|
-|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
-|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
-|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
-
-For more general info, see AppLocker.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index 4f50e071a2..64307b01ba 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -1,28 +1,25 @@
---
title: Display a custom URL message when users try to run a blocked app
-description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
+description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Display a custom URL message when users try to run a blocked app
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app.
-This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
-
-With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed.
+With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default AppLocker block message is displayed as-is.
To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
-**To display a custom URL message when users try to run a blocked app**
+## To display a custom URL message when users try to run a blocked app
-1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
-2. Navigate to the Group Policy Object (GPO) that you want to edit.
-3. Right-click the GPO, and then click **Edit**.
-4. In the console tree under **Policies\\Administrative Templates\\Windows Components**, click **File Explorer**.
-5. In the details pane, double-click **Set a support web page link**.
-6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box.
-7. Click **OK** to apply the setting.
+1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
+2. Navigate to the Group Policy Object (GPO) that you want to edit.
+3. Right-click the GPO, and then select **Edit**.
+4. In the console tree under **Policies\\Administrative Templates\\Windows Components**, select **File Explorer**.
+5. In the details pane, double-click **Set a support web page link**.
+6. Select **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box.
+7. Select **OK** to apply the setting.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 39003c7034..36da65e276 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -1,37 +1,34 @@
---
title: DLL rules in AppLocker
-description: This topic describes the file formats and available default rules for the DLL rule collection.
+description: This article describes the file formats and available default rules for the DLL rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# DLL rules in AppLocker
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic describes the file formats and available default rules for the DLL rule collection.
+This article describes the file formats and available default rules for the DLL rule collection.
AppLocker defines DLL rules to include only the following file formats:
-- .dll
-- .ocx
+- .dll
+- .ocx
+
+> [!IMPORTANT]
+> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps, including Windows system files.
The following table lists the default rules that are available for the DLL rule collection.
| Purpose | Name | User | Rule condition type |
-| - | - | - | - |
-| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| BUILTIN\Administrators | Path: *|
-| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\*|
-| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| Everyone | Path: %programfiles%\*|
-
-> [!IMPORTANT]
-> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
+| --- | --- | --- | --- |
+| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs | BUILTIN\Administrators | Path: * |
+| Allow all users to run DLLs in the Windows folder | (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\* |
+| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder | Everyone | Path: %programfiles%\* |
> [!CAUTION]
-> When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
-
-## Related topics
+> When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used on computers that are resource constrained.
+
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 5206548f80..294689bc28 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,33 +1,30 @@
---
title: Document Group Policy structure & AppLocker rule enforcement
-description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
+description: This planning article describes what you need to include in your plan when you use AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Document the Group Policy structure and AppLocker rule enforcement
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
+This planning article describes what you should include in your plan when you use AppLocker.
## Record your findings
To complete this AppLocker planning document, you should first complete the following steps:
-1. [Determine your application control objectives](determine-your-application-control-objectives.md)
-2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
-3. [Select the types of rules to create](select-types-of-rules-to-create.md)
-4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+1. [Determine your application control objectives](determine-your-application-control-objectives.md)
+2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+3. [Select the types of rules to create](select-types-of-rules-to-create.md)
+4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they're linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
+After you determine how to structure your Group Policy Objects (GPOs) for AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they're linked to. If you decide to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|
-|--- |--- |--- |--- |--- |--- |--- |--- |
+| --- | --- | --- | --- | --- | --- | --- | --- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
@@ -37,5 +34,6 @@ The following table includes the sample data that was collected when you determi
## Next steps
-After you've determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
-- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+After you determine the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
+
+- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md
index e56f851d85..f42d12d410 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md
@@ -1,25 +1,22 @@
---
title: Document your app list
-description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
+description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Document your app list
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
+This planning article describes the app information that you should document when you create a list of apps for AppLocker policies.
## Record your findings
-**Apps**
+### Apps
-Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*.
+Record the name of the app, its publisher information (if digitally signed), and its importance to the business.
-**Installation path**
+### Installation path
Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
@@ -35,36 +32,36 @@ The following table provides an example of how to list applications for each bus
||||Windows files|C:\Windows|
>[!NOTE]
->AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
-
-Event processing
+>AppLocker only supports publisher rules for Packaged apps. Therefore, collecting the installation path information for Packaged apps is not necessary.
-As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
+## Event processing
-- Will event forwarding be implemented for AppLocker events?
-- What is the location of the AppLocker event collection?
-- Should an event archival policy be implemented?
-- Will the events be analyzed and how often?
-- Should a security policy be in place for event collection?
+As you create your list of apps, you need to consider how to manage the events generated by user access. The following list is an example of what to consider and what to record:
-**Policy maintenance**
+- Do you want to forward AppLocker events for analysis?
+- What is the location of the AppLocker event collection?
+- Should an event archival policy be implemented?
+- Who analyzes the AppLocker events and how often?
+- Should a security policy be in place for event collection?
-As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record:
+## Policy maintenance
-- How will rules be updated for emergency app access and permanent access?
-- How will apps be removed?
-- How many older versions of the same app will be maintained?
-- How will new apps be introduced?
+As you create your list of apps, you need to consider how to manage and maintain the policies that you create. The following list is an example of what to consider and what to record:
+
+- How are rules updated for emergency app access and permanent access?
+- How are apps removed?
+- How many older versions of the same app are maintained?
+- How are new apps introduced?
## Next steps
-After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns:
+After you create the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns:
-- Use default rule or define new rule condition
-- Allow or deny
-- GPO name
+- Use default rule or define new rule condition
+- Allow or deny
+- GPO name
-To identify the rule collections, see the following topics:
+To identify the rule collections, see the following articles:
-- [Select the types of rules to create](select-types-of-rules-to-create.md)
-- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+- [Select the types of rules to create](select-types-of-rules-to-create.md)
+- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md
index 5e123e0052..1d5ff7d78e 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -3,43 +3,35 @@ title: Document your AppLocker rules
description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/22/2023
---
# Document your AppLocker rules
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded.
-
-## Record your findings
-
To complete this AppLocker planning document, you should first complete the following steps:
-1. [Determine your application control objectives](determine-your-application-control-objectives.md)
-2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
-3. [Select the types of rules to create](select-types-of-rules-to-create.md)
+1. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+2. [Select the types of rules to create](select-types-of-rules-to-create.md)
Document the following items for each business group or organizational unit:
-- Whether your organization will use the built-in default AppLocker rules to allow system files to run.
-- The types of rule conditions that you will use to create rules, stated in order of preference.
+- Whether your organization uses the built-in default AppLocker rules to allow system files to run.
+- The types of rule conditions that you use to create rules, stated in order of preference.
The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
|Business group|Organizational unit|Implement AppLocker?|Applications|Installation path|Use default rule or define new rule condition|Allow or deny|
-|--- |--- |--- |--- |--- |--- |--- |
+| --- | --- | --- | --- | --- | --- | --- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition||
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition||
-||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition||
+||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition||
||||Internet Explorer 7|C:\Program Files\Internet Explorer
Emergency: Request through help desk|Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required| -|Human Resources|Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR
30-day notice required| +| --- | --- | --- | --- | --- | +| Bank Tellers | Planned: Monthly through business office triage
Emergency: Request through help desk | Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required | +| Human Resources | Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required | General policy: Keep past versions for 60 months
List policies for each application | Coordinated through HR
30-day notice required | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index d4039c3443..4dcd7f89ab 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -1,53 +1,49 @@ --- title: Refresh an AppLocker policy -description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. +description: This article for IT professionals describes the steps to force an update for an AppLocker policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Refresh an AppLocker policy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to force an update for an AppLocker policy. -This topic for IT professionals describes the steps to force an update for an AppLocker policy. +If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy takes effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. -If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. - -To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) - -[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). +To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. -**To manually refresh the AppLocker policy by using Group Policy** +## To manually refresh the AppLocker policy by using Group Policy -1. From a command prompt, type **gpupdate /force**, and then press ENTER. -2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." +1. From a command prompt, type **gpupdate /force**, and then press ENTER. +2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." -To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information -about creating a new rule for an existing policy, see: -- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) -- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) -- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) +For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: + +- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) +- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) +- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To refresh the AppLocker policy on the local computer** +## To refresh the AppLocker policy on the local computer -- Update the rule collection by using the Local Security Policy console with one of the following procedures: +- Update the rule collection by using the Local Security Policy console with one of the following procedures: - - [Edit AppLocker rules](edit-applocker-rules.md) - - [Delete an AppLocker rule](delete-an-applocker-rule.md) - - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + - [Edit AppLocker rules](edit-applocker-rules.md) + - [Delete an AppLocker rule](delete-an-applocker-rule.md) + - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) When finished, the policy is in effect. To make the same change on another device, you can use any of the following methods: -- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. +- From the device where you made the change, export the AppLocker policy and then import into onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. - >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. - -- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +> [!WARNING] +> When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. + +- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 70a6f0b415..eb55e89166 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -1,65 +1,64 @@ --- title: Requirements for deploying AppLocker policies -description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. +description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Requirements for deploying AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. +This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. The following requirements must be met or addressed before you deploy your AppLocker policies: -- [Deployment plan](#bkmk-reqdepplan) -- [Supported operating systems](#bkmk-reqsupportedos) -- [Policy distribution mechanism](#bkmk-reqpolicydistmech) -- [Event collection and analysis system](#bkmk-reqeventcollectionsystem) -### Deployment plan +- [Deployment plan](#deployment-plan) +- [Supported operating systems](#supported-operating-systems) +- [Policy distribution mechanism](#policy-distribution-mechanism) +- [Event collection and analysis system](#event-collection-and-analysis-system) -An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). +## Deployment plan + +A successful AppLocker policy deployment begins with a policy design that allows the applications needed by your organization and prevents unauthorized apps, including malware, from running. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies. |Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy| -|--- |--- |--- |--- |--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | |Bank Tellers|Teller-East and Teller-West|Yes|Teller software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers|Web help| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help Desk| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||Web help| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR|Web help| ||||Internet Explorer 7|C:\Program Files\Internet Explorer
|File is signed; create a publisher condition|Deny||Help Desk| ||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help Desk| - -Event processing policy + +### Event processing policy |Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy| -|--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | |Bank Tellers|Forwarded to: srvBT093|Standard|None|Standard| |Human Resources|Do not forward|60 months|Yes; summary reports monthly to managers|Standard| - -Policy maintenance policy + +### Policy maintenance policy |Business group|Rule update policy|App decommission policy|App version policy|App deployment policy| -|--- |--- |--- |--- |--- | -|Bank Tellers|Planned: Monthly through business office triageEmergency: Request through Help Desk|Through business office triage; 30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office; 30-day notice required| -|Human Resources|Planned: Through HR triage
Emergency: Request through Help Desk|Through HR triage; 30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR; 30-day notice required| - -### Supported operating systems +| --- | --- | --- | --- | --- | +| Bank Tellers | Planned: Monthly through business office triage
Emergency: Request through Help Desk | Through business office triage; 30-day notice required | General policy: Keep past versions for 12 months
List policies for each application | Coordinated through business office; 30-day notice required | +| Human Resources | Planned: Through HR triage
Emergency: Request through Help Desk | Through HR triage; 30-day notice required |General policy: Keep past versions for 60 months
List policies for each application | Coordinated through HR; 30-day notice required |
-AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+## Supported operating systems
-### Policy distribution mechanism
+AppLocker is supported only on certain operating systems. Some features aren't available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
-You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in.
+## Policy distribution mechanism
-### Event collection and analysis system
+You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. AppLocker rules can also be distributed through a mobile device management solution, like Microsoft Intune.
+
+## Event collection and analysis system
Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:
-- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
-- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
-- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
## See also
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 5d2b189772..3d5dcd1008 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,61 +1,43 @@
---
title: Requirements to use AppLocker
-description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# Requirements to use AppLocker
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
## General requirements
To use AppLocker, you need:
-- A device running a supported operating system to create the rules. The computer can be a domain controller.
-- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
-- Devices running a supported operating system to enforce the AppLocker rules that you create.
+- A device running a supported operating system to create the rules. The computer can be a domain controller.
+- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
+- Devices running a supported operating system to enforce the AppLocker rules that you create.
>[!NOTE]
->As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies
-
+>As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies.
+
## Operating system requirements
The following table shows the Windows versions on which AppLocker features are supported.
| Version | Can be configured | Can be enforced | Available rules | Notes |
-| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
AppLocker permits customization of error messages to direct users to a Web page for help.| -|Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.
AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.|
-|Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|
-|Block malicious scripts|Rules for blocking malicious scripts prevent all scripts associated with the Windows Script Host from running, except those scripts that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.|
-|Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.|
-|Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.|
-|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. An administrator uses AppLocker to specify the user to whom a specific rule should apply.|
-
-## Related topics
+## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 9f51d9f474..e64e6e97ff 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -1,32 +1,29 @@
---
title: Windows Installer rules in AppLocker
-description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
+description: This article describes the file formats and available default rules for the Windows Installer rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/24/2023
---
# Windows Installer rules in AppLocker
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic describes the file formats and available default rules for the Windows Installer rule collection.
+This article describes the file formats and available default rules for the Windows Installer rule collection.
AppLocker defines Windows Installer rules to include only the following file formats:
-- .msi
-- .msp
-- .mst
+- .msi
+- .msp
+- .mst
The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.
| Purpose | Name | User | Rule condition type |
-| - | - | - | - |
-| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *|
-| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)|
-| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|
-
-## Related topics
+| --- | --- | --- | --- |
+| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *|
+| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)|
+| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|
+
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
index 0f287537b8..189d8f1654 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -1,32 +1,29 @@
---
title: Working with AppLocker policies
-description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+description: This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Working with AppLocker policies
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.|
-| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.|
-| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.|
-| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.|
-| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.|
-| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.|
-| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.|
-| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).|
-| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).|
-| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.|
-| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).|
-| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.|
-| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
+| [Configure the Application Identity service](configure-the-application-identity-service.md) | This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. |
+| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This article for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. |
+| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting. |
+| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. |
+| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. |
+| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. |
+| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This article for IT professionals describes how to import an AppLocker policy. |
+| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). |
+| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). |
+| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. |
+| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). |
+| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This article for IT professionals describes the steps to force an update for an AppLocker policy. |
+| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 57c5eaa7cd..e06ef57ede 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -1,104 +1,92 @@
---
title: Working with AppLocker rules
-description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+description: This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
ms.localizationpriority: medium
-msauthor: v-anbic
-ms.date: 08/27/2018
+msauthor: jsuther
+ms.date: 12/21/2023
ms.topic: conceptual
---
# Working with AppLocker rules
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-
-## In this section
-
-| Topic | Description |
-| - | - |
-| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.|
-| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.|
-| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.|
-| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.|
-| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.|
-| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.|
-| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.|
-| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.|
-| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.|
-| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.|
-| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|
-
-The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.
-
-| Enforcement mode | Description |
-| - | - |
-| **Not configured** | This is the default setting, which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.|
-| **Enforce rules** | Rules are enforced.|
-| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection aren't enforced|
-
-When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged, and the enforcement mode setting of the winning GPO is applied.
## Rule collections
-The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
+AppLocker policies are organized into rule collections, including executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
| Rule collection | Associated file formats |
| - | - |
-| Executable files | .exe
.com|
-| Scripts| .ps1
.bat
.cmd
.vbs
.js|
-| Windows Installer files | .msi
.msp
.mst|
-| Packaged apps and packaged app installers | .appx|
-| DLL files | .dll
.ocx|
-
->**Important:** If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+| Executable files | .exe
.com |
+| Scripts| .ps1
.bat
.cmd
.vbs
.js |
+| Windows Installer files | .msi
.msp
.mst |
+| Packaged apps and packaged app installers | .appx |
+| DLL files | .dll
.ocx |
-When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+> [!NOTE]
+> AppLocker rules for executable files actually apply to all portable executable (PE) files, regardless of the file's extension which attackers can easily change. The file extension information listed in the preceding table for executable files is illustrative only.
-The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
+The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#dll-rule-collection).
+
+> [!Important]
+> If you use DLL rules, you need to create an allow rule that covers every DLL used by all allowed apps.
+>
+> When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. However, this performance impact is usually imperceptible unless a device is already resource constrained.
+
+## Enforcement modes
+
+AppLocker policies set an **enforcement mode** for each rule collection included in the policy. These enforcement modes are described in the following table.
+
+| Enforcement mode | Description |
+| --- | --- |
+| **Not configured** | Despite the name, this enforcement mode **doesn't** mean the rules are ignored. On the contrary, if any rules exist in a rule collection that is "not configured", the rules **will be enforced** unless a policy with a higher precedence changes the enforcement mode to Audit only. Since this enforcement mode can be confusing for policy authors, you should avoid using this value in your AppLocker policies. Instead, you should choose explicitly between the remaining two options. |
+| **Enforce rules** | Rules are enforced. When a user runs an app affected by an AppLocker rule, the app binary is blocked. Info about the binary is added to the AppLocker event log. |
+| **Audit only** | Rules are audited but not enforced. When a user runs an app affected by an AppLocker rule, the app binary is allowed to run. However, the info about the binary is added to the AppLocker event log. The Audit-only enforcement mode helps you identify the apps affected by the policy before the policy is enforced. |
+
+When AppLocker policies are merged, the rules from all the policies are added to the effective policy and a single enforcement mode is selected for each rule collection. If multiple AppLocker policies are applied to a device through Group Policy, the enforcement mode setting applied is selected based on Group Policy precedence. If you apply an AppLocker policy locally using the Set-AppLockerPolicy PowerShell cmdlet with the *-merge* option, the more restrictive enforcement mode is chosen between the existing local policy and the policy being merged.
-EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it's a valid PE file.
-
## Rule conditions
Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.
-- [Publisher](#bkmk-publisher): Identifies an app based on its digital signature
-- [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network
-- [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file
+- [Publisher](#publisher): Identifies an app based on its digital signature
+- [Path](#path): Identifies an app by its location in the file system of the computer or on the network
+- [File hash](#file-hash): Represents the system computed cryptographic Authenticode hash of the identified file
-### Publisher
+### Publisher
-This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. If there's executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also include extended attributes, which are obtained from the binary resource. These attributes often include the name of the product, the original file name, and the version number of the file as defined by the publisher. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+
+> [!NOTE]
+> Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
+>
+> Use a publisher rule condition when possible because they are more resilient to app updates as well as a change in the location of files.
-> **Note:** Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
->
-> **Note:** Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
-
When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving up the slider or by using a wildcard character (\*) in the product, file name, or version number fields.
->**Note:** To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
-
+> [!NOTE]
+> To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+
The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
-- **Exactly.** The rule applies only to this version of the app
-- **And above.** The rule applies to this version and all later versions.
-- **And below.** The rule applies to this version and all earlier versions.
+- **Exactly.** The rule applies only to this version of the app
+- **And above.** The rule applies to this version and all later versions.
+- **And below.** The rule applies to this version and all earlier versions.
The following table describes how a publisher condition is applied.
| Option | The publisher condition allows or denies... |
-|---|---|
-| **All signed files** | All files that are signed by any publisher.|
-| **Publisher only**| All files that are signed by the named publisher.|
-| **Publisher and product name**| All files for the specified product that are signed by the named publisher.|
-| **Publisher and product name, and file name**| Any version of the named file or package for the named product that is signed by the publisher.|
-| **Publisher, product name, file name, and file version**| **Exactly**
The specified version of the named file or package for the named product that is signed by the publisher.|
-| **Publisher, product name, file name, and file version**| **And above**
The specified version of the named file or package and any new releases for the product that are signed by the publisher.|
-| **Publisher, product name, file name, and file version**| **And below**
The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.|
-| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.|
+| --- | --- |
+| **All signed files** | All files signed by any publisher. |
+| **Publisher only** | All files signed by the named publisher. |
+| **Publisher and product name** | All files for the specified product signed by the named publisher. |
+| **Publisher and product name, and file name** | Any version of the named file or package for the named product signed by the publisher. |
+| **Publisher, product name, file name, and file version** | **Exactly**
The specified version of the named file or package for the named product signed by the publisher. |
+| **Publisher, product name, file name, and file version** | **And above**
The specified version of the named file or package and any new releases for the product signed by the publisher. |
+| **Publisher, product name, file name, and file version** | **And below**
The specified version of the named file or package and any earlier versions for the product signed by the publisher. |
+| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule. |
-### Path
+### Path
This rule condition identifies an application by its location in the file system of the computer or on the network.
@@ -107,106 +95,116 @@ AppLocker uses custom path variables for well-known paths, such as Program Files
The following table details these path variables.
| Windows directory or disk | AppLocker path variable | Windows environment variable |
-| - | - | - |
-| Windows| %WINDIR%| %SystemRoot%|
-| System32 and SysWOW64| %SYSTEM32%| %SystemDirectory%|
-| Windows installation directory| %OSDRIVE%| %SystemDrive%|
-| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% |
-| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
-| Removable storage device (for example, a USB flash drive)| %HOT% | |
-
->**Important:** Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
-
-### File hash
+| --- | --- | --- |
+| Windows | %WINDIR%| %SystemRoot%|
+| System32 and SysWOW64 | %SYSTEM32%| %SystemDirectory%|
+| Windows installation directory | %OSDRIVE%| %SystemDrive%|
+| Program Files | %PROGRAMFILES% | %ProgramFiles% and %ProgramFiles(x86)% |
+| Removable media (for example, a CD or DVD) | %REMOVABLE% | |
+| Removable storage device (for example, a USB flash drive) | %HOT% | |
-When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.
+> [!IMPORTANT]
+> Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if a path rule includes a folder location that lets non-administrators write data, a user (or malware running as a standard user) can copy unapproved files into that location and run the files. For this reason, you should avoid creating path conditions for standard user writable locations, such as a user profile.
+
+### File hash
+
+When you choose the file hash rule condition, the system computes the Authenticode cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash changes. As a result, you must manually update file hash rules.
## AppLocker default rules
-AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
+AppLocker policies created using the AppLocker Group Policy editor can include default rules. Default rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
Executable default rule types include:
-- Allow members of the local **Administrators** group to run all apps.
-- Allow members of the **Everyone** group to run apps that are located in the Windows folder.
-- Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
+- Allow members of the local **Administrators** group to run all apps.
+- Allow members of the **Everyone** group to run apps that are located in the Windows folder.
+- Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
Script default rule types include:
-- Allow members of the local **Administrators** group to run all scripts.
-- Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
-- Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
+- Allow members of the local **Administrators** group to run all scripts.
+- Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
+- Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
Windows Installer default rule types include:
-- Allow members of the local **Administrators** group to run all Windows Installer files.
-- Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
-- Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
+- Allow members of the local **Administrators** group to run all Windows Installer files.
+- Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
+- Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
DLL default rule types:
-- Allow members of the local **Administrators** group to run all DLLs.
-- Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
-- Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
+- Allow members of the local **Administrators** group to run all DLLs.
+- Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
+- Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
Packaged apps default rule types:
-- Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
+- Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
## AppLocker rule behavior
-If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+If no AppLocker rules are defined for a specific rule collection, all files covered by that rule collection are allowed to run. However, if any rule exists for a specific rule collection, then *only* those files matching at least one allow rule and not matching any deny rules run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
A rule can be configured to use allow or deny actions:
-- **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
-- **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+- **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+- **Deny.** You can specify which files *aren't* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+For a best practice, use allow actions with exceptions. Although you can use a combination of allow and deny actions, deny actions always win. You can't use any other rule to allow a file that matches a deny rule.
-> **Important:** For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
->
-> **Important:** If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
-
## Rule exceptions
-You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor.
+You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor.
-The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.
+The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you instead used a deny rule that blocks all users from running Registry Editor, the second rule wouldn't actually let the help desk users run Registry Editor.
-## DLL rule collection
+## DLL rule collection
Because the DLL rule collection isn't enabled by default, you must perform the following procedure before you can create and enforce DLL rules.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
-**To enable the DLL rule collection**
+### To enable the DLL rule collection
-1. Click **Start**, type **secpol.msc**, and then press ENTER.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
-4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+1. Select **Start**, type **secpol.msc**, and then select ENTER.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then select **Properties**.
+4. Select the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then select **OK**.
+
+ > [!IMPORTANT]
+ > Before you enforce DLL rules, make sure that there are allow rules for every DLL that is needed by all allowed apps.
- >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
-
## AppLocker wizards
You can create rules by using two AppLocker wizards:
-1. The Create Rules Wizard enables you to create one rule at a time.
-2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or if there are packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
+1. The Create Rules Wizard enables you to create one rule at a time.
+2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can select a folder and let the wizard create rules for any relevant files found. Or, for packaged apps, let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
## Other considerations
-- By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications.
-- There are two types of AppLocker conditions that don't persist following an update of an app:
+- By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications.
+- There are two types of AppLocker conditions that don't persist following an update of an app:
+ - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app file is generated at the time the rule is created. However, the hash value is specific to that exact version of the file. If you need to allow multiple versions of the file, you need individual file hash conditions for each version of the file.
+ - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
+- If an app isn't digitally signed, you can't use a publisher rule condition for that app.
+- If any rules are enforced for the EXE rule collection, you must create rules in the packaged apps and packaged app installers rule collection. Otherwise, all packaged apps and packaged app installers are blocked.
+- A custom configured URL can be included in the message that is displayed when an app is blocked.
+- Expect an increase in the number of Help Desk calls when users encounter apps that aren't allowed.
- - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.
+## In this section
- - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
-
-- If an app isn't digitally signed, you can't use a publisher rule condition for that app.
-- AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
-- The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
-- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection doesn't contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.
-- When an AppLocker rule collection is set to **Audit only**, the rules aren't enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
-- A custom configured URL can be included in the message that is displayed when an app is blocked.
-- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they can't run apps that aren't allowed.
+| Article | Description |
+| - | - |
+| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a file hash condition.|
+| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a path condition.|
+| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a publisher condition.|
+| [Create AppLocker default rules](create-applocker-default-rules.md) | This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.|
+| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.|
+| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.|
+| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This article for IT professionals describes the steps to delete an AppLocker rule.|
+| [Edit AppLocker rules](edit-applocker-rules.md) | This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.|
+| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.|
+| [Enforce AppLocker rules](enforce-applocker-rules.md) | This article for IT professionals describes how to enforce application control rules by using AppLocker.|
+| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 3eac346b20..615226657c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -3,7 +3,6 @@ title: Microsoft recommended driver block rules
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
ms.localizationpriority: medium
ms.collection:
-- highpri
- tier3
- must-keep
ms.date: 06/06/2023
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
index c51eebd95c..c1eee0110d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
@@ -2,7 +2,7 @@
title: Plan for WDAC policy management
description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
ms.localizationpriority: medium
-ms.date: 11/02/2022
+ms.date: 11/22/2023
ms.topic: article
---
@@ -11,7 +11,7 @@ ms.topic: article
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
+This article describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
## Policy XML lifecycle management
@@ -23,7 +23,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices.
3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
4. Repeat steps 2-3 until the remaining block events meet expectations.
-5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated.
+5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that the policy doesn't allow are prevented from running and corresponding block events are generated.
6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
@@ -35,7 +35,7 @@ To effectively manage Windows Defender Application Control policies, you should
### Set PolicyName, PolicyID, and Version metadata for each policy
-Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique policy ID. These unique attributes help you differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
> [!NOTE]
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-wdac-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
@@ -45,15 +45,15 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
+You might need to revise your policy when new apps are deployed or existing apps are updated by the software publisher to ensure that apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
## WDAC event management
-Each time that a process is blocked by Windows Defender Application Control, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
+Each time that WDAC blocks a process, events are written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event describes the file that tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
-Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
+Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. You can [use the Azure Monitor Agent](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) to automatically collect your WDAC events for analysis.
-Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) collects WDAC events which can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy
@@ -75,9 +75,9 @@ If your organization has an established help desk support department in place, c
### End-user support
-Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plan how to provide end-user support. Considerations include:
+Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include:
-- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+- Do you want to use an intranet site as a frontline of support for users who try to run a blocked app?
- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
## Document your plan
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index 68d101d832..961a1e4dc4 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -2,7 +2,7 @@
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium
-ms.date: 08/11/2023
+ms.date: 11/22/2023
ms.topic: article
---
@@ -11,7 +11,7 @@ ms.topic: article
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
-Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
+Windows Defender Application Control (WDAC) can control what runs on your Windows devices by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how to identify applications your organization trusts.
## Windows Defender Application Control policy rules
@@ -20,7 +20,9 @@ To modify the policy rule options of an existing WDAC policy XML, use the [WDAC
You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether supplemental policies can set them. Some rule options are reserved for future work or not supported.
> [!NOTE]
-> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked-instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, applications run normally but WDAC logs events whenever a file runs that isn't allowed by the policy. To allow these files, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+>
+> Some apps may behave differently even when your policy is in audit mode. When an option may change behaviors in audit mode, that is noted in Table 1. You should always test your apps thoroughly when deploying significant updates to your WDAC policies.
### Table 1. Windows Defender Application Control policy - policy rule options
@@ -37,7 +39,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a boot-critical driver fails during startup, the WDAC policy is placed in audit mode so that Windows loads. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. Some script hosts may behave differently even when your policy is in audit mode. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
@@ -45,7 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
NOTE: This option is only supported on Windows 10, version 1709 and later, or Windows Server 2019 and later.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.
NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later.
NOTE: This option is always enforced if *any* WDAC UMCI policy enables it. There's no audit mode for .NET dynamic code security hardening. | No |
| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
| **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
@@ -71,7 +73,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | Not supported. |
-| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
+| **WHQL** | Only trusts binaries that were submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
@@ -96,7 +98,7 @@ For example, consider an IT professional in a department that runs many servers.
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. With the help of the audit data, they update their WDAC policies to include any other software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
-As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
+As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they don't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
## File rule precedence order
@@ -107,7 +109,7 @@ WDAC has a built-in file rule conflict logic that translates to precedence order
## Use -SpecificFileNameLevel with FileName, FilePublisher, or WHQLFilePublisher level rules
-By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels will use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer may use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
+By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer might use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
Table 3 describes the available resource header attribute options you can set with -SpecificFileNameLevel.
@@ -124,7 +126,7 @@ Table 3 describes the available resource header attribute options you can set wi
## More information about filepath rules
-Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You might want to avoid path rules for directories where standard users can modify ACLs on the folder.
### User-writable filepaths
@@ -182,8 +184,8 @@ In the cmdlets, rather than try to predict which hash will be used, we precalcul
### Why does scan create eight hash rules for certain files?
-Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules.
+Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file only runs in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file only loads in either user-mode or kernel, then you can safely remove the extra rules.
### When does WDAC use the flat file hash value?
-There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
+There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This behavior can occur for many reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
index 8f866fa055..b0ec0ebfe9 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
@@ -2,7 +2,7 @@
title: Windows Defender Application Control and .NET
description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
ms.localizationpriority: medium
-ms.date: 08/10/2022
+ms.date: 11/22/2023
ms.topic: article
---
@@ -10,9 +10,9 @@ ms.topic: article
.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it.
-The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
+The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you might notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
-In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
+In some cases, if an NI file is blocked, you might see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
To mitigate any performance impact caused when the WDAC EA isn't valid or missing:
@@ -22,14 +22,17 @@ To mitigate any performance impact caused when the WDAC EA isn't valid or missin
## WDAC and .NET hardening
-Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
-Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
+Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
+To address this potential vulnerability, WDAC includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
-When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
+When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any remote sources, such as the internet or a network share.
-Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
+> [!IMPORTANT]
+> .Net dynamic code security hardening is *turned on and enforced* if any WDAC policy with UMCI enabled has set option **19 Enabled:Dynamic Code Security**. There is no audit mode for this feature. You should test your apps with this option set before turning it on across large numbers of devices.
-Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries.
+Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that was tampered with.
+
+Dynamic Code Security isn't enabled by default because existing policies might not account for externally loaded libraries.
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md b/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
index 4797a379d3..c029680d19 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
@@ -2,29 +2,29 @@
title: Windows Defender Application Control feature availability
description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability.
ms.localizationpriority: medium
-ms.date: 05/26/2023
+ms.date: 12/21/2023
ms.topic: overview
---
# Windows Defender Application Control and AppLocker feature availability
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Review the following table to learn more.
| Capability | Windows Defender Application Control | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Available on Windows 8 or later. |
-| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later.
WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
The font should automatically install into your `%windir%/Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
+On each computer with the app installed, right-click on the font name and click **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
**To fix your apps by excluding processes**
-1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Members of this group receive a GPO that specifies that authentication is requested, but not required.|
-| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
For example, if you want to exclude Microsoft Word processes, you'd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
-
+1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
If the domain controllers require smart card EKU either:
Otherwise:
|
@@ -86,9 +86,6 @@ For more information, see [Configure certificate infrastructure for SCEP](/mem/i
You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
-Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC's certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
+Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones aren't domain-joined, the root CA of the KDC's certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
-Domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
-This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
-
-For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
+Domain controllers must be using certificates based on the updated *KDC certificate template* Kerberos Authentication.
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index b79e1c9335..60dd8c3517 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -2,7 +2,7 @@
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN authentication options
@@ -74,7 +74,7 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
>[!NOTE]
->To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md).
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/index.md).
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index eb532bf8d6..5e6ac3a460 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -2,7 +2,7 @@
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: how-to
---
# VPN auto-triggered profile options
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 2606196671..20c906ac63 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -2,7 +2,7 @@
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: how-to
---
# VPN and conditional access
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 3f71587ce8..d9b3f06811 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -2,7 +2,7 @@
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN connection types
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index f4b96d4267..8243496ddd 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -2,7 +2,7 @@
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: overview
---
# Windows VPN technical guide
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index e727022c01..82260ba0a4 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -2,7 +2,7 @@
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN name resolution
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index f7974cce7c..1975863b9a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -2,7 +2,7 @@
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: how-to
---
# VPN profile options
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index 85d884162a..1f3e5a3784 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -2,8 +2,9 @@
ms.date: 08/03/2023
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
-ms.topic: conceptual
+ms.topic: concept-article
---
+
# VPN routing decisions
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). The decision impacts the configuration, capacity planning, and security expectations from the connection.
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index c07cabae8d..f6f19b8f96 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -2,7 +2,7 @@
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN security features
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
deleted file mode 100644
index 3914108b37..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
+++ /dev/null
@@ -1,254 +0,0 @@
-items:
- - name: Overview
- href: windows-firewall-with-advanced-security.md
- - name: Plan deployment
- items:
- - name: Design guide
- href: windows-firewall-with-advanced-security-design-guide.md
- - name: Design process
- href: understanding-the-windows-firewall-with-advanced-security-design-process.md
- - name: Implementation goals
- items:
- - name: Identify implementation goals
- href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
- - name: Protect devices from unwanted network traffic
- href: protect-devices-from-unwanted-network-traffic.md
- - name: Restrict access to only trusted devices
- href: restrict-access-to-only-trusted-devices.md
- - name: Require encryption
- href: require-encryption-when-accessing-sensitive-network-resources.md
- - name: Restrict access
- href: restrict-access-to-only-specified-users-or-devices.md
- - name: Implementation designs
- items:
- - name: Map goals to a design
- href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
- - name: Basic firewall design
- href: basic-firewall-policy-design.md
- items:
- - name: Basic firewall design example
- href: firewall-policy-design-example.md
- - name: Domain isolation design
- href: domain-isolation-policy-design.md
- items:
- - name: Domain isolation design example
- href: domain-isolation-policy-design-example.md
- - name: Server isolation design
- href: server-isolation-policy-design.md
- items:
- - name: Server Isolation design example
- href: server-isolation-policy-design-example.md
- - name: Certificate-based isolation design
- href: certificate-based-isolation-policy-design.md
- items:
- - name: Certificate-based Isolation design example
- href: certificate-based-isolation-policy-design-example.md
- - name: Design planning
- items:
- - name: Plan your design
- href: planning-your-windows-firewall-with-advanced-security-design.md
- - name: Plan settings for a basic firewall policy
- href: planning-settings-for-a-basic-firewall-policy.md
- - name: Plan domain isolation zones
- items:
- - name: Domain isolation zones
- href: planning-domain-isolation-zones.md
- - name: Exemption list
- href: exemption-list.md
- - name: Isolated domain
- href: isolated-domain.md
- - name: Boundary zone
- href: boundary-zone.md
- - name: Encryption zone
- href: encryption-zone.md
- - name: Plan server isolation zones
- href: planning-server-isolation-zones.md
- - name: Plan certificate-based authentication
- href: planning-certificate-based-authentication.md
- items:
- - name: Document the Zones
- href: documenting-the-zones.md
- - name: Plan group policy deployment for your isolation zones
- href: planning-group-policy-deployment-for-your-isolation-zones.md
- items:
- - name: Plan isolation groups for the zones
- href: planning-isolation-groups-for-the-zones.md
- - name: Plan network access groups
- href: planning-network-access-groups.md
- - name: Plan the GPOs
- href: planning-the-gpos.md
- items:
- - name: Firewall GPOs
- href: firewall-gpos.md
- items:
- - name: GPO_DOMISO_Firewall
- href: gpo-domiso-firewall.md
- - name: Isolated domain GPOs
- href: isolated-domain-gpos.md
- items:
- - name: GPO_DOMISO_IsolatedDomain_Clients
- href: gpo-domiso-isolateddomain-clients.md
- - name: GPO_DOMISO_IsolatedDomain_Servers
- href: gpo-domiso-isolateddomain-servers.md
- - name: Boundary zone GPOs
- href: boundary-zone-gpos.md
- items:
- - name: GPO_DOMISO_Boundary
- href: gpo-domiso-boundary.md
- - name: Encryption zone GPOs
- href: encryption-zone-gpos.md
- items:
- - name: GPO_DOMISO_Encryption
- href: gpo-domiso-encryption.md
- - name: Server isolation GPOs
- href: server-isolation-gpos.md
- - name: Plan GPO deployment
- href: planning-gpo-deployment.md
- - name: Plan to deploy
- href: planning-to-deploy-windows-firewall-with-advanced-security.md
- - name: Deployment guide
- items:
- - name: Deployment overview
- href: windows-firewall-with-advanced-security-deployment-guide.md
- - name: Implement your plan
- href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
- - name: Basic firewall deployment
- items:
- - name: "Checklist: Implement a basic firewall policy design"
- href: checklist-implementing-a-basic-firewall-policy-design.md
- - name: Domain isolation deployment
- items:
- - name: "Checklist: Implement a Domain Isolation Policy Design"
- href: checklist-implementing-a-domain-isolation-policy-design.md
- - name: Server isolation deployment
- items:
- - name: "Checklist: Implement a Standalone Server Isolation Policy Design"
- href: checklist-implementing-a-standalone-server-isolation-policy-design.md
- - name: Certificate-based authentication
- items:
- - name: "Checklist: Implement a Certificate-based Isolation Policy Design"
- href: checklist-implementing-a-certificate-based-isolation-policy-design.md
- - name: Best practices
- items:
- - name: Configure the firewall
- href: best-practices-configuring.md
- - name: Secure IPsec
- href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
- - name: PowerShell
- href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
- - name: Isolate Microsoft Store Apps on Your Network
- href: isolating-apps-on-your-network.md
- - name: How-to
- items:
- - name: Add Production devices to the membership group for a zone
- href: add-production-devices-to-the-membership-group-for-a-zone.md
- - name: Add test devices to the membership group for a zone
- href: add-test-devices-to-the-membership-group-for-a-zone.md
- - name: Assign security group filters to the GPO
- href: assign-security-group-filters-to-the-gpo.md
- - name: Change rules from request to require mode
- href: Change-Rules-From-Request-To-Require-Mode.Md
- - name: Configure authentication methods
- href: Configure-authentication-methods.md
- - name: Configure data protection (Quick Mode) settings
- href: configure-data-protection-quick-mode-settings.md
- - name: Configure Group Policy to autoenroll and deploy certificates
- href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
- - name: Configure Hyper-V firewall
- href: hyper-v-firewall.md
- - name: Configure key exchange (main mode) settings
- href: configure-key-exchange-main-mode-settings.md
- - name: Configure the rules to require encryption
- href: configure-the-rules-to-require-encryption.md
- - name: Configure the Windows Firewall log
- href: configure-the-windows-firewall-log.md
- - name: Configure the workstation authentication certificate template
- href: configure-the-workstation-authentication-certificate-template.md
- - name: Configure Windows Firewall to suppress notifications when a program is blocked
- href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
- - name: Confirm that certificates are deployed correctly
- href: confirm-that-certificates-are-deployed-correctly.md
- - name: Copy a GPO to create a new GPO
- href: copy-a-gpo-to-create-a-new-gpo.md
- - name: Create a Group Account in Active Directory
- href: create-a-group-account-in-active-directory.md
- - name: Create a Group Policy Object
- href: create-a-group-policy-object.md
- - name: Create an authentication exemption list rule
- href: create-an-authentication-exemption-list-rule.md
- - name: Create an authentication request rule
- href: create-an-authentication-request-rule.md
- - name: Create an inbound ICMP rule
- href: create-an-inbound-icmp-rule.md
- - name: Create an inbound port rule
- href: create-an-inbound-port-rule.md
- - name: Create an inbound program or service rule
- href: create-an-inbound-program-or-service-rule.md
- - name: Create an outbound port rule
- href: create-an-outbound-port-rule.md
- - name: Create an outbound program or service rule
- href: create-an-outbound-program-or-service-rule.md
- - name: Create inbound rules to support RPC
- href: create-inbound-rules-to-support-rpc.md
- - name: Create WMI filters for the GPO
- href: create-wmi-filters-for-the-gpo.md
- - name: Create Windows Firewall rules in Intune
- href: create-windows-firewall-rules-in-intune.md
- - name: Enable predefined inbound rules
- href: enable-predefined-inbound-rules.md
- - name: Enable predefined outbound rules
- href: enable-predefined-outbound-rules.md
- - name: Exempt ICMP from authentication
- href: exempt-icmp-from-authentication.md
- - name: Link the GPO to the domain
- href: link-the-gpo-to-the-domain.md
- - name: Modify GPO filters
- href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
- - name: Open IP security policies
- href: open-the-group-policy-management-console-to-ip-security-policies.md
- - name: Open Group Policy
- href: open-the-group-policy-management-console-to-windows-firewall.md
- - name: Open Group Policy
- href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
- - name: Open Windows Firewall
- href: open-windows-firewall-with-advanced-security.md
- - name: Restrict server access
- href: restrict-server-access-to-members-of-a-group-only.md
- - name: Enable Windows Firewall
- href: turn-on-windows-firewall-and-configure-default-behavior.md
- - name: Verify Network Traffic
- href: verify-that-network-traffic-is-authenticated.md
- - name: References
- items:
- - name: "Checklist: Create Group Policy objects"
- href: checklist-creating-group-policy-objects.md
- - name: "Checklist: Create inbound firewall rules"
- href: checklist-creating-inbound-firewall-rules.md
- - name: "Checklist: Create outbound firewall rules"
- href: checklist-creating-outbound-firewall-rules.md
- - name: "Checklist: Configure basic firewall settings"
- href: checklist-configuring-basic-firewall-settings.md
- - name: "Checklist: Configure rules for the isolated domain"
- href: checklist-configuring-rules-for-the-isolated-domain.md
- - name: "Checklist: Configure rules for the boundary zone"
- href: checklist-configuring-rules-for-the-boundary-zone.md
- - name: "Checklist: Configure rules for the encryption zone"
- href: checklist-configuring-rules-for-the-encryption-zone.md
- - name: "Checklist: Configure rules for an isolated server zone"
- href: checklist-configuring-rules-for-an-isolated-server-zone.md
- - name: "Checklist: Configure rules for servers in a standalone isolated server zone"
- href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
- - name: "Checklist: Create rules for clients of a standalone isolated server zone"
- href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
- - name: "Appendix A: Sample GPO template files for settings used in this guide"
- href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
- - name: Troubleshooting
- items:
- - name: Troubleshoot UWP app connectivity issues in Windows Firewall
- href: troubleshooting-uwp-firewall.md
- - name: Filter origin audit log improvements
- href: filter-origin-documentation.md
- - name: Quarantine behavior
- href: quarantine.md
- - name: Firewall settings lost on upgrade
- href: firewall-settings-lost-on-upgrade.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
deleted file mode 100644
index 7bfb1addfd..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Add Production Devices to the Membership Group for a Zone
-description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
-ms.prod: windows-client
-ms.topic: how-to
-ms.date: 11/10/2023
----
-
-# Add Production Devices to the Membership Group for a Zone
-
-After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
-
-> [!CAUTION]
-> For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode.
-
-The method discussed in this guide uses the *Domain Computers* built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the *CG_DOMISO_NOIPSEC* example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
-
-Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
-
-In this topic:
-
-- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
-- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
-
-## To add domain devices to the GPO membership group
-
-1. Open Active Directory Users and Computers
-1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group
-1. In the details pane, double-click the GPO membership group to which you want to add computers
-1. Select the **Members** tab, and then click **Add**
-1. Type **Domain Computers** in the text box, and then click **OK**
-1. Click **OK** to close the group properties dialog box
-
-After a computer is a member of the group, you can force a Group Policy refresh on the computer.
-
-## To refresh Group Policy on a device
-
-From an elevated command prompt, type the following command:
-
-``` cmd
-gpupdate.exe /target:computer /force
-```
-
-After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
-
-## To see which GPOs are applied to a device
-
-From an elevated command prompt, type the following command:
-
-``` cmd
-gpresult.exe /r /scope:computer
-```
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
deleted file mode 100644
index 2ed1c1a950..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Add Test Devices to the Membership Group for a Zone
-description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
-ms.prod: windows-client
-ms.topic: how-to
-ms.date: 11/10/2023
----
-
-# Add Test Devices to the Membership Group for a Zone
-
-Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.
-
-Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the `gpresult.exe` command to confirm that each device is receiving only the GPOs it's supposed to receive.
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
-
-In this topic:
-
-- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
-- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
-
-## To add test devices to the GPO membership groups
-
-1. Open Active Directory Users and Computers
-1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account
-1. In the details pane, double-click the GPO membership group to which you want to add devices
-1. Select the **Members** tab, and then click **Add**
-1. Type the name of the device in the text box, and then click **OK**
-1. Repeat steps 5 and 6 for each extra device account or group that you want to add
-1. Click **OK** to close the group properties dialog box
-
-After a device is a member of the group, you can force a Group Policy refresh on the device.
-
-## To refresh Group Policy on a device
-
-From an elevated command prompt, run the following command:
-
-``` cmd
-gpupdate /target:device /force
-```
-
-After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
-
-## To see which GPOs are applied to a device
-
-From an elevated command prompt, run the following command:
-
-``` cmd
-gpresult /r /scope:computer
-```
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
deleted file mode 100644
index 03fe642a1d..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Appendix A Sample GPO Template Files for Settings Used in this Guide
-description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Appendix A: sample GPO template files for settings used in this guide
-
-You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
-
-To manually create the file, build the settings under **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**. After you create the settings, drag the container to the desktop. An .xml file is created there.
-
-To import an .xml file to GPMC, drag it and drop it on the **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry** node. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
-
-The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
-
-> [!NOTE]
-> The file shown here is for sample use only. It should be customized to meet the requirements of your organization's deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
-
-```xml
-
-
-
Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO's element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone's membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
-| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
-| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
-| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
-| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
-| Create a rule that requests authentication for all network traffic.
**Important:** As in an isolated domain, don't set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
-| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
-| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
-
-Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
deleted file mode 100644
index e9eccb33bf..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
-description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: configure rules for servers in a standalone isolated server zone
-
-This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
-
-The GPOs for isolated servers are similar to those GPOs for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
-
-| Task | Reference |
-| - | - |
-| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
-| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) |
-| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
-| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
-| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) |
-| Create a rule that requests authentication for all inbound network traffic.
**Important:** As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
-| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
-| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) |
-| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone's NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
-
-Don't change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
deleted file mode 100644
index 2196325d31..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ /dev/null
@@ -1,23 +0,0 @@
----
-title: Checklist Configuring Rules for the Boundary Zone
-description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: configure rules for the boundary zone
-
-The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
-
-Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
-
-This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs.
-
-| Task | Reference |
-| - | - |
-| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy isn't changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
-| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
-| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
deleted file mode 100644
index 8916500bda..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Checklist Configuring Rules for the Encryption Zone
-description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: configure rules for the encryption zone
-
-This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
-
-Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
-
-This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
-
-| Task | Reference |
-| - | - |
-| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| Modify the group memberships and WMI filters so that they're correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
-| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
deleted file mode 100644
index 51f6cb3c93..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Checklist Configuring Rules for the Isolated Domain
-description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: configure rules for the isolated domain
-
-The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
-
-| Task | Reference |
-| - | - |
-| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
-| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
-| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
-| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
-| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
-| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
-| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
-| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
-
-Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md
deleted file mode 100644
index c9a715cfbc..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Checklist Creating Group Policy Objects
-description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: Create group policy objects (GPOs)
-
-To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.
-
-The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
-
-## About membership groups
-
-For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
-
-## About exclusion groups
-
-A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that can't or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it's easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
-
-You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
-
-| Task | Reference |
-| - | - |
-| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
-| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
-| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
-| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
-| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
-| If you're working on a GPO that was copied from another, modify the group memberships and WMI filters so that they're correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
-| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md
deleted file mode 100644
index 5afd360e1a..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-title: Checklist Creating Inbound Firewall Rules
-description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: create inbound firewall rules
-
-This checklist includes tasks for creating firewall rules in your GPOs.
-
-| Task | Reference |
-| - | - |
-| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)|
-| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)|
-| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)|
-| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)|
-| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md
deleted file mode 100644
index d6d1525053..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: Checklist Creating Outbound Firewall Rules
-description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: create outbound firewall rules
-
-This checklist includes tasks for creating outbound firewall rules in your GPOs.
-
-> [!IMPORTANT]
-> By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization's network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
-
-| Task | Reference |
-| - | - |
-| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)|
-| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)|
-| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
deleted file mode 100644
index 4d8a44fecc..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Create Rules for Standalone Isolated Server Zone Clients
-description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: Create rules for clients of a standalone isolated server zone
-
-This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
-
-| Task | Reference |
-| - | - |
-| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
-| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
-| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
-| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
-| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
-| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
-| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
deleted file mode 100644
index 3d970485cf..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Checklist Implementing a Basic Firewall Policy Design
-description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: implement a basic firewall policy design
-
-This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
-
-> [!NOTE]
-> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
-
-The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
-
-| Task | Reference |
-| - | - |
-| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
-| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
-| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
-| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|
-| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)|
-| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
-| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
-| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
deleted file mode 100644
index edbfae8e7f..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: Checklist Implementing a Certificate-based Isolation Policy Design
-description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: implement a certificate-based isolation policy design
-
-This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
-
-> [!NOTE]
-> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
-
-| Task | Reference |
-| - | - |
-| Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
-| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| |
-| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
-| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
-| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
deleted file mode 100644
index 46079fc693..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-title: Checklist Implementing a Domain Isolation Policy Design
-description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: implementing a domain isolation policy design
-
-This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
-
-> [!NOTE]
-> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
-
-The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
-
-| Task | Reference |
-| - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Domain Isolation Policy Design](domain-isolation-policy-design.md)
[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
-| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
-| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
-| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
-| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)|
-| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)|
-| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)|
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
deleted file mode 100644
index 7596ee7611..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Checklist Implementing a Standalone Server Isolation Policy Design
-description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 11/10/2023
----
-
-# Checklist: implementing a standalone server isolation policy design
-
-This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
-
-This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
-
-> [!NOTE]
-> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
-
-| Task | Reference |
-| - | - |
-| Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
-| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
-| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
-| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
-| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)|
-| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) |
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md
deleted file mode 100644
index 96a9db2d70..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Configure Authentication Methods
-description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure Authentication Methods
-
-
-This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
-
->**Note:** If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-**To configure authentication methods**
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
-
-3. On the **IPsec Settings** tab, click **Customize**.
-
-4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
-
- 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default.
-
- 2. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
-
- 3. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
-
- The first authentication method can be one of the following methods:
-
- - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
-
- - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
-
- - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method isn't recommended, and is included only for backward compatibility and testing purposes.
-
- If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
-
- The second authentication method can be one of the following methods:
-
- - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
-
- - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
-
- - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule.
-
- If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
-
- >**Important:** Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
-
-5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md
deleted file mode 100644
index a8f2bc0f33..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Configure Data Protection (Quick Mode) Settings
-description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure Data Protection (Quick Mode) Settings
-
-
-This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-**To configure quick mode settings**
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
-
-3. On the **IPsec Settings** tab, click **Customize**.
-
-4. In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**.
-
-5. If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone.
-
-6. If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following:
-
- 1. From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**.
-
- 2. Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT).
-
- 3. In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
-
- 4. Click **OK** to save your algorithm combination settings.
-
- 5. After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on.
-
-7. Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following:
-
- 1. From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**.
-
- 2. Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following:
-
- 3. Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT.
-
- 4. Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only.
-
- 5. Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only.
-
- 6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
-
-8. Click **OK** three times to save your settings.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
deleted file mode 100644
index f049b2e663..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Configure Group Policy to Autoenroll and Deploy Certificates
-description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure Group Policy to Autoenroll and Deploy Certificates
-
-
-You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group.
-
-**To configure Group Policy to autoenroll certificates**
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
-
-3. In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**.
-
-4. Double-click **Certificate Services Client - Auto-Enrollment**.
-
-5. In the **Properties** dialog box, change **Configuration Model** to **Enabled**.
-
-6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**.
-
-7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md
deleted file mode 100644
index 02ffc24817..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Configure Key Exchange (Main Mode) Settings
-description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure Key Exchange (Main Mode) Settings
-
-
-This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-**To configure key exchange settings**
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
-
-3. On the **IPsec Settings** tab, click **Customize**.
-
-4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
-
-5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list aren't what you want, then do the following steps:
-
- **Important**
- In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This rule means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
-
- Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method is used in the negotiation. Ensure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
-
- **Note**
- When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This event happens no matter which Diffie-Hellman key exchange protocol you select.
-
- 1. Remove any of the security methods that you don't want by selecting the method and then clicking **Remove**.
-
- 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
-
- >**Caution:** We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
-
- 3. After the list contains only the combinations you want, use the "up" and "down" arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
-
-6. From the list on the right, select the key exchange algorithm that you want to use.
-
- >**Caution:** We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only.
-
-7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key.
-
- >**Note:** You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
-
-8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key.
-
-9. Click **OK** three times to save your settings.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
new file mode 100644
index 0000000000..06fbba84f9
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
@@ -0,0 +1,177 @@
+---
+title: Configure Windows Firewall logging
+description: Learn how to configure Windows Firewall to log dropped packets or successful connections with CSP and group policy.
+ms.topic: how-to
+ms.date: 11/21/2023
+---
+
+# Configure Windows Firewall logging
+
+To configure Windows Firewall to log dropped packets or successful connections, you can use:
+
+- Configuration Service Provider (CSP), using an MDM solution like Microsoft Intune
+- Group policy (GPO)
+
+[!INCLUDE [tab-intro](../../../../../includes/configure/tab-intro.md)]
+
+# [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
+1. Sign into the [Microsoft Intune admin center][INT]
+1. Go to **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall** > **Create**
+1. Enter a name and, optionally, a description > **Next**
+1. Under **Configuration settings**, for each network location type (*Domain*, *Private*, *Public*), configure:
+ - **Log file path**
+ - **Enable log dropped packets**
+ - **Enable log success connections**
+ - **Log max file size**
+1. Select **Next** > **Next**
+1. Assign the policy to a group that contains as members the devices or users that you want to configure > **Next** > **Create**
+
+> [!TIP]
+> If you prefer you can also use a [Settings catalog policy][MEM-1] to configure Windows Firewall logging.
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Firewall CSP][CSP-1].
+
+| Network profile | Setting |
+|--|--|
+| *Domain* | Setting name: [EnableLogDroppedPackets][CSP-2]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets` |
+| *Domain* | Setting name: [LogFilePath][CSP-5]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath` |
+| *Domain* | Setting name: [EnableLogSuccessConnections][CSP-8]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogSuccessConnections` |
+| *Domain* | Setting name: [LogMaxFileSize][CSP-11]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize` |
+| *Private* | Setting name: [EnableLogDroppedPackets][CSP-3]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets` |
+| *Private* | Setting name: [LogFilePath][CSP-6]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath`|
+| *Private* | Setting name: [EnableLogSuccessConnections][CSP-9]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogSuccessConnections` |
+| *Private* | Setting name: [LogMaxFileSize][CSP-12]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize` |
+| *Public* | Setting name: [EnableLogDroppedPackets][CSP-4]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets` |
+| *Public* | Setting name: [LogFilePath][CSP-7]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath`|
+| *Public* | Setting name: [EnableLogSuccessConnections][CSP-10]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections` |
+| *Public* | Setting name: [LogMaxFileSize][CSP-13]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize` |
+
+# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
+
+1. Expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**
+1. In the details pane, in the **Overview** section, select **Windows Defender Firewall Properties**
+1. For each network location type (*Domain*, *Private*, *Public*), perform the following steps
+ 1. Select the tab that corresponds to the network location type
+ 1. Under **Logging**, select **Customize**
+ 1. The default path for the log is `%windir%\system32\logfiles\firewall\pfirewall.log`. If you want to change this path, clear the **Not configured** check box and enter the path to the new location, or select **Browse** to select a file location
+1. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and enter the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
+1. No logging occurs until you set one of following two options:
+ - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**
+ - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**
+1. Select **OK** twice
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+---
+
+> [!IMPORTANT]
+> The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
+
+## Recommendations
+
+Here are some recommendations for configuring Windows Firewall logging:
+
+- Change the logging size to at least **20,480 KB (20 MB)** to ensure that the log file doesn't fill up too quickly. The maximum log size is 32,768 KB (32 MB)
+- For each profile (Domain, Private, and Public) change the default log file name from `%windir%\system32\logfiles\firewall\pfirewall.log` to:
+ - `%windir%\system32\logfiles\firewall\pfirewall_Domain.log`
+ - `%windir%\system32\logfiles\firewall\pfirewall_Private.log`
+ - `%windir%\system32\logfiles\firewall\pfirewall_Public.log`
+- Log dropped packets to **Yes**
+- Log successful connections to **Yes**
+
+On a single system, you can use the following commands to configure logging:
+
+```cmd
+netsh advfirewall>set allprofiles logging allowedconnections enable
+netsh advfirewall>set allprofiles logging droppedconnections enable
+```
+
+## Parsing methods
+
+There are several methods to parse the Windows Firewall log files. For example:
+
+- Enable *Windows Event Forwarding* (WEF) to a *Windows Event Collector* (WEC). To learn more, see [Use Windows Event Forwarding to help with intrusion detection][WIN-1]
+- Forward the logs to your SIEM product such as our Azure Sentinel. To learn more, see [Windows Firewall connector for Microsoft Sentinel][AZ-1]
+- Forward the logs to Azure Monitor and use KQL to parse the data. To learn more, see [Azure Monitor agent on Windows client devices][AZ-2]
+
+> [!TIP]
+> If logs are slow to appear in your SIEM solution, you can decrease the log file size. Just beware that the downsizing results in more resource usage due to the increased log rotation.
+
+## Troubleshoot if the log file is not created or modified
+
+Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
+
+- Missing permissions for the *Windows Defender Firewall Service* (`mpssvc`) on the folder or on the log files
+- You want to store the log files in a different folder and the permissions are missing, or aren't set automatically
+- if firewall logging is configured via policy settings, it can happen that
+ - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
+ - the log folder in a custom path doesn't exist
+
+In both cases, you must create the folder manually or via script, and add the permissions for `mpssvc`.
+
+```PowerShell
+New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
+```
+
+Verify if `mpssvc` has *FullControl* on the folder and the files. From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
+```
+
+The output should show `NT SERVICE\mpssvc` having *FullControl*:
+
+```PowerShell
+IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags
+----------------- ---------------- ----------------- ----------- ----------------
+NT AUTHORITY\SYSTEM FullControl Allow False ObjectInherit
+BUILTIN\Administrators FullControl Allow False ObjectInherit
+NT SERVICE\mpssvc FullControl Allow False ObjectInherit
+```
+
+If not, add *FullControl* permissions for `mpssvc` to the folder, subfolders and files. Make sure to use the correct path.
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+$NewAcl = Get-Acl -Path $LogPath
+
+$identity = "NT SERVICE\mpssvc"
+$fileSystemRights = "FullControl"
+$inheritanceFlags = "ContainerInherit,ObjectInherit"
+$propagationFlags = "None"
+$type = "Allow"
+
+$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $inheritanceFlags, $propagationFlags, $type
+$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
+
+$NewAcl.SetAccessRule($fileSystemAccessRule)
+Set-Acl -Path $LogPath -AclObject $NewAcl
+```
+
+Restart the device to restart the *Windows Defender Firewall* service.
+
+
+
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[CSP-1]: /windows/client-management/mdm/firewall-csp
+[AZ-1]: /azure/sentinel/data-connectors/windows-firewall
+[INT]: https://go.microsoft.com/fwlink/?linkid=2109431
+[MEM-1]: /mem/intune/configuration/settings-catalog
+[WIN-1]: /windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
+[AZ-2]: /azure/azure-monitor/agents/azure-monitor-agent-windows-client
+[CSP-2]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets
+[CSP-3]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets
+[CSP-4]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets
+[CSP-5]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath
+[CSP-6]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath
+[CSP-7]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath
+[CSP-8]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections
+[CSP-9]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogsuccessconnections
+[CSP-10]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogsuccessconnections
+[CSP-11]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize
+[CSP-12]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize
+[CSP-13]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md
deleted file mode 100644
index ce9b0f15ce..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Configure the Rules to Require Encryption
-description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure the Rules to Require Encryption
-
-If you're creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that don't use encryption.
-
-**Administrative credentials**
-
-To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-**To modify an authentication request rule to also require encryption**
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the navigation pane, click **Connection Security Rules**.
-
-3. In the details pane, double-click the connection security rule you want to modify.
-
-4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
-
-5. In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={**guid**}**, and then click **Properties**.
-
-6. Click the **IPsec Settings** tab.
-
-7. Under **IPsec defaults**, click **Customize**.
-
-8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**.
-
-9. Click **Require encryption for all connection security rules that use these settings**.
-
- This setting disables the data integrity rules section. Ensure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone won't be able to connect to devices in this zone.
-
-10. If you need to add an algorithm combination, click **Add** and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
-
- **Note**
- Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
-
- Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell.
-
- For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-
-11. During negotiation, algorithm combinations are proposed in the order shown in the list. Ensure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
-
-12. Click **OK** three times to save your changes.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
deleted file mode 100644
index e60bc7b3ec..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Configure the Windows Defender Firewall Log
-description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure the Windows Defender Firewall with Advanced Security Log
-
-
-To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-## To configure the Windows Defender Firewall with Advanced Security log
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
-
-3. For each network location type (Domain, Private, Public), perform the following steps.
-
- 1. Click the tab that corresponds to the network location type.
-
- 2. Under **Logging**, click **Customize**.
-
- 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
-
- > [!IMPORTANT]
- > The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
-
- 5. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
-
- 6. No logging occurs until you set one of following two options:
-
- - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
-
- - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
-
- 7. Click **OK** twice.
-
-### Troubleshoot if the log file is not created or modified
-
-Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
-
-- missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files
-- you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically
-- if firewall logging is configured via policy settings, it can happen that
- - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
- - the log folder in a custom path doesn't exist
- In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc
-
-If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existent folder is configured via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC.
-
-```PowerShell
-New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
-```
-
-Verify if MpsSvc has *FullControl* on the folder and the files.
-From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
-
-```PowerShell
-$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
-(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
-```
-
-The output should show `NT SERVICE\mpssvc` having *FullControl*:
-
-```PowerShell
-IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags
------------------ ---------------- ----------------- ----------- ----------------
-NT AUTHORITY\SYSTEM FullControl Allow False ObjectInherit
-BUILTIN\Administrators FullControl Allow False ObjectInherit
-NT SERVICE\mpssvc FullControl Allow False ObjectInherit
-```
-
-If not, add *FullControl* permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path.
-
-```PowerShell
-$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
-$ACL = get-acl -Path $LogPath
-$ACL.SetAccessRuleProtection($true, $false)
-$RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow")
-$ACL.AddAccessRule($RULE)
-```
-
-Restart the device to restart the Windows Defender Firewall Service.
-
-### Troubleshoot Slow Log Ingestion
-
-If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md
deleted file mode 100644
index fe9d417849..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Configure the Workstation Authentication Template
-description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
-ms.prod: windows-client
-ms.date: 09/07/2021
-ms.topic: conceptual
----
-
-# Configure the Workstation Authentication Certificate Template
-
-
-This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
-
-**Administrative credentials**
-
-## To configure the workstation authentication certificate template and autoenrollment
-To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
-
-
-1. On the device where AD CS is installed, open the Certification Authority console.
-
-2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**.
-
-3. In the details pane, click the **Workstation Authentication** template.
-
-4. On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**.
-
-5. On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**.
-
-6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
-
-7. Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
-
-8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
-
- >**Note:** If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate.
-
-9. Close the Certificate Templates Console.
-
-10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
-
-11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you configured, and then click **OK**.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
deleted file mode 100644
index fe75296fec..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked
-description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
-
-
-To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
-
->**Caution:** If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
-
-We recommend that you don't enable these settings until you've created and tested the required rules.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
-
-3. For each network location type (Domain, Private, Public), perform the following steps.
-
- 1. Click the tab that corresponds to the network location type.
-
- 2. Under **Settings**, click **Customize**.
-
- 3. Under **Firewall settings**, change **Display a notification** to **No**.
-
- 4. Under **Rule merging**, change **Apply local firewall rules** to **No**.
-
- 5. Although a connection security rule isn't a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you're planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**.
-
- 6. Click **OK** twice.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
similarity index 57%
rename from windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
rename to windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index 6bf60cec66..bd157d28de 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -1,114 +1,86 @@
---
-title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
-description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
+title: Manage Windows Firewall with the command line
+description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
+ms.topic: how-to
+ms.date: 11/21/2023
---
-# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
+# Manage Windows Firewall with the command line
+This article provides examples how to manage Windows Firewall with PowerShell and `netsh.exe`, which can be used to automate the management of Windows Firewall.
-The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
+## Set profile global defaults
-You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
+Global defaults set the device behavior in a per-profile basis. Windows Firewall supports Domain, Private, and Public profiles.
-In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
+Windows Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't enforced, you might need to enable Windows Firewall. Here's how to enable Windows Firewall on a local device:
-Windows PowerShell and netsh command references are at the following locations.
-
-- [Netsh Commands for Windows Defender Firewall](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771920(v=ws.10))
-
-## Scope
-
-This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide.
-
-## Audience and user requirements
-
-This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
-
-## In this topic
-
-| Section | Description |
-| - | - |
-| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
-| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
-| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
-| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
-| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
-| [Other resources](#other-resources) | More information about Windows PowerShell|
-
-## Set profile global defaults
-
-Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
-
-### Enable Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't being enforced, you may need to enable Windows Defender Firewall. Here's how to enable Windows Defender Firewall on a local domain device:
-
-**Netsh**
-
-``` syntax
-netsh advfirewall set allprofiles state on
-```
-
-**Windows PowerShell**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
-### Control Windows Defender Firewall with Advanced Security behavior
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
-The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
+``` cmd
+netsh.exe advfirewall set allprofiles state on
+```
+---
+
+### Control Windows Firewall behavior
+
+The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console.
The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
netsh advfirewall set allprofiles settings inboundusernotification enable
netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
-Windows PowerShell
+---
-```powershell
-Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
-```
+### Disable Windows Firewall
-### Disable Windows Defender Firewall with Advanced Security
-
-Microsoft recommends that you don't disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-
-Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
+Disabling Windows Firewall can also cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
-- Application or OS incompatibilities that depend on Windows Defender Firewall
+- Application or OS incompatibilities that depend on Windows Firewall
-Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed.
-
-If disabling Windows Defender Firewall is required, don't disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
-Stopping the Windows Defender Firewall service isn't supported by Microsoft.
-
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility.
+Microsoft recommends disabling Windows Firewall only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
+Stopping the Windows Firewall service isn't supported by Microsoft.
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.
You shouldn't disable the firewall yourself for this purpose.
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
+Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
+For more information, see [Windows Firewall deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
+The following example disables Windows Firewall for all profiles.
-The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
-
-Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**.
-For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
-
-The following example disables Windows Defender Firewall for all profiles.
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+---
+
## Deploy basic firewall rules
This section provides scriptlet examples for creating, modifying, and deleting firewall rules.
@@ -116,50 +88,49 @@ This section provides scriptlet examples for creating, modifying, and deleting f
### Create firewall rules
Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently.
-
Here's an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= %SystemRoot%\System32\tlntsvr.exe remoteip=localsubnet action=allow
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
-```
+---
The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and the execution remains in effect until the Netsh session is ended or until another set store command is executed.
-
Here, **domain.contoso.com** is the name of your Active Directory Domain Services (AD DS), and **gpo\_name** is the name of the GPO that you want to modify. Quotation marks are required if there are any spaces in the GPO name.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -LocalPort 23 -Action Block -PolicyStore domain.contoso.com\gpo_name
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\gpo_name
netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
-```
+---
### GPO Caching
To reduce the burden on busy domain controllers, Windows PowerShell allows you to load a GPO to your local session, make all your changes in that session, and then save it back at all once.
-
The following command performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so by applying GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter aren't supported in Netsh
-Windows PowerShell
-
```powershell
-$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo
-Save-NetGPO –GPOSession $gpo
+$gpo = Open-NetGPO -PolicyStore domain.contoso.com\gpo_name
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\telnet.exe -Protocol TCP -LocalPort 23 -Action Block -GPOSession $gpo
+Save-NetGPO -GPOSession $gpo
```
This command doesn't batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes.
@@ -167,120 +138,105 @@ This command doesn't batch your individual changes, it loads and saves the entir
### Modify an existing firewall rule
When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell, this identifier is specified with the *-Name* parameter).
-
For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+Set-NetFirewallRule -DisplayName "Allow Web 80" -RemoteAddress 192.168.0.2
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2
```
-Windows PowerShell
-
-```powershell
-Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2
-```
+---
Netsh requires you to provide the name of the rule for it to be changed and we don't have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties.
-
When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports don't appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you'll need to get the filter objects themselves.
-
You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell, you query by port using the port filter, then assuming other rules exist affecting the local port, you build with further queries until your desired rule is retrieved.
-
-In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell’s ability to pipeline inputs.
-
-Windows PowerShell
+In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell's ability to pipeline inputs.
```powershell
-Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
+Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction -eq "Inbound" -and $_.Action -eq "Allow"} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
```
You can also query for rules using the wildcard character. The following example returns an array of firewall rules associated with a particular program. The elements of the array can be modified in subsequent `Set-NetFirewallRule` cmdlets.
-Windows PowerShell
-
```powershell
Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule
```
Multiple rules in a group can be simultaneously modified when the associated group name is specified in a Set command. You can add firewall rules to specified management groups in order to manage multiple rules that share the same influences.
-
In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group isn't possible in Netsh.
-Windows PowerShell
-
```powershell
-New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
+New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow -Group "Telnet Management"
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow -Group "Telnet Management"
```
If the group isn't specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You can't specify the group using `Set-NetFirewallRule` since the command allows querying by rule group.
-Windows PowerShell
-
```powershell
-$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
-$rule.Group = “Telnet Management”
+$rule = Get-NetFirewallRule -DisplayName "Allow Inbound Telnet"
+$rule.Group = "Telnet Management"
$rule | Set-NetFirewallRule
```
With the help of the `Set` command, if the rule group name is specified, the group membership isn't modified but rather all rules of the group receive the same modifications indicated by the given parameters.
-
The following scriptlet enables all rules in a predefined group containing remote management influencing firewall rules.
-**Netsh**
-
-``` syntax
-netsh advfirewall firewall set rule group="Windows Defender Firewall remote management" new enable=yes
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True
+Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Enabled True
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall firewall set rule group="Windows Firewall remote management" new enable=yes
+```
+
+---
+
There's also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
-Windows PowerShell
-
```powershell
-Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
+Enable-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Verbose
```
### Delete a firewall rule
Rule objects can be disabled so that they're no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This cmdlet is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device.
-
The following cmdlet deletes the specified existing firewall rule from the local policy store.
-**Netsh**
-
-``` syntax
-netsh advfirewall firewall delete rule name=“Allow Web 80”
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-Remove-NetFirewallRule –DisplayName “Allow Web 80”
+Remove-NetFirewallRule -DisplayName "Allow Web 80"
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall firewall delete rule name="Allow Web 80"
+```
+
+---
+
Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the device.
-Windows PowerShell
-
```powershell
-Remove-NetFirewallRule –Action Block
+Remove-NetFirewallRule -Action Block
```
It may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules.
-Windows PowerShell
-
```powershell
-$x = Get-NetFirewallRule –Action Block
+$x = Get-NetFirewallRule -Action Block
$x
$x[0-3] | Remove-NetFirewallRule
```
@@ -288,86 +244,76 @@ $x[0-3] | Remove-NetFirewallRule
## Manage remotely
Remote management using WinRM is enabled by default. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default.
-
The following example returns all firewall rules of the persistent store on a device named **RemoteDevice**.
-Windows PowerShell
-
```powershell
-Get-NetFirewallRule –CimSession RemoteDevice
+Get-NetFirewallRule -CimSession RemoteDevice
```
-We can perform any modifications or view rules on remote devices by using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device.
-
-Windows PowerShell
+We can perform any modifications or view rules on remote devices by using the *-CimSession* parameter. Here we remove a specific firewall rule from a remote device.
```powershell
-$RemoteSession = New-CimSession –ComputerName RemoteDevice
-Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm
+$RemoteSession = New-CimSession -ComputerName RemoteDevice
+Remove-NetFirewallRule -DisplayName "AllowWeb80" -CimSession $RemoteSession -Confirm
```
## Deploy basic IPsec rule settings
An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
-
-Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Defender Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
-
+Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
-
### Create IPsec rules
The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the console under Customize IPsec Defaults.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -PolicyStore domain.contoso.com\gpo_name
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\gpo_name
netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout
```
-Windows PowerShell
-
-```powershell
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name
-```
+---
### Add custom authentication methods to an IPsec rule
-If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](/previous-versions/windows/it-pro/windows-server-2003/cc757847(v=ws.10)) .
-
+If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](/previous-versions/windows/it-pro/windows-server-2003/cc757847(v=ws.10)).
You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
-
-
In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP -AHHash SHA1 -ESPHash SHA1 -Encryption DES3
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet -DisplayName "ah:sha1+esp:sha1-des3" -Proposal $AHandESPQM -PolicyStore domain.contoso.com\gpo_name
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name -PolicyStore domain.contoso.com\gpo_name
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\gpo_name
netsh advfirewall consec add rule name="Require Outbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des
```
-Windows PowerShell
-
-```powershell
-$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3
-$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name
-```
+---
### IKEv2 IPsec transport rules
A corporate network may need to secure communications with another agency. But, you discover the agency runs non-Windows operating systems and requires the use of the Internet Key Exchange Version 2 (IKEv2) standard.
-
You can apply IKEv2 capabilities in Windows Server 2012 by specifying IKEv2 as the key module in an IPsec rule. This capability specification can only be done using computer certificate authentication and can't be used with phase-2 authentication.
-Windows PowerShell
-
```powershell
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -InboundSecurity Require -OutboundSecurity Request -Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 -RemoteAddress $nonWindowsGateway
```
For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md).
@@ -375,105 +321,90 @@ For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec C
### Copy an IPsec rule from one policy to another
Firewall and IPsec rules with the same rule properties can be duplicated to simplify the task of re-creating them within different policy stores.
-
To copy the previously created rule from one policy store to another, the associated objects must also be copied separately. There's no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets.
-
Copying individual rules is a task that isn't possible through the Netsh interface. Here's how you can accomplish it with Windows PowerShell.
-Windows PowerShell
-
```powershell
-$Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication”
-$Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name
-$Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule = Get-NetIPsecRule -DisplayName "Require Inbound Authentication"
+$Rule | Copy-NetIPsecRule -NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule | Copy-NetPhase1AuthSet -NewPolicyStore domain.costoso.com\new_gpo_name
```
### Handling Windows PowerShell errors
-To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn’t already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation.
-
-Windows PowerShell
+To handle errors in your Windows PowerShell scripts, you can use the *-ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn't already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any "rule not found" errors during the remove operation.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98" -ErrorAction SilentlyContinue
```
-The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors.
-
-Windows PowerShell
+The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren't any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any "not found" errors.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*”
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*"
```
-When using wildcards, if you want to double-check the set of rules that is matched, you can use the *–WhatIf* parameter.
-
-Windows PowerShell
+When using wildcards, if you want to double-check the set of rules that is matched, you can use the *-WhatIf* parameter.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -WhatIf
```
-If you only want to delete some of the matched rules, you can use the *–Confirm* parameter to get a rule-by-rule confirmation prompt.
-
-Windows PowerShell
+If you only want to delete some of the matched rules, you can use the *-Confirm* parameter to get a rule-by-rule confirmation prompt.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -Confirm
```
You can also just perform the whole operation, displaying the name of each rule as the operation is performed.
-Windows PowerShell
-
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -Verbose
```
### Monitor
The following Windows PowerShell commands are useful in the update cycle of a deployment phase.
-
To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command doesn't show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+Show-NetIPsecRule -PolicyStore ActiveStore
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall consec show rule name=all
```
-Windows PowerShell
-
-```powershell
-Show-NetIPsecRule –PolicyStore ActiveStore
-```
+---
You can monitor main mode security associations for information such as which peers are currently connected to the device and which protection suite is used to form the security associations.
-
Use the following cmdlet to view existing main mode rules and their security associations:
-**Netsh**
-
-``` syntax
-netsh advfirewall monitor show mmsa all
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Get-NetIPsecMainModeSA
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall monitor show mmsa all
+```
+
+---
+
### Find the source GPO of a rule
To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can determine which policy store a rule originates from.
-
-For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *–TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
-
-Windows PowerShell
+For objects that come from a GPO (the *-PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *-TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
```powershell
-Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore
+Get-NetIPsecRule -DisplayName "Require Inbound Authentication" -TracePolicyStore
```
It's important to note that the revealed sources don't contain a domain name.
@@ -481,146 +412,140 @@ It's important to note that the revealed sources don't contain a domain name.
### Deploy a basic domain isolation policy
IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object.
-
To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that isn't protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this authentication, you can isolate domain-joined devices from devices that aren't joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic.
-**Netsh**
-
-``` syntax
-netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
-netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profile=domain endpoint1=”any” endpoint2=”any” action=requireinrequestout auth1=”computerkerb”
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos
-$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation
-New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation
+$kerbprop = New-NetIPsecAuthProposal -Machine -Kerberos
+$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop -PolicyStore domain.contoso.com\domain_isolation
+New-NetIPsecRule -DisplayName "Basic Domain Isolation Policy" -Profile Domain -Phase1AuthSet $Phase1AuthSet.Name -InboundSecurity Require -OutboundSecurity Request -PolicyStore domain.contoso.com\domain_isolation
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
+netsh advfirewall consec add rule name="Basic Domain Isolation Policy" profile=domain endpoint1="any" endpoint2="any" action=requireinrequestout auth1="computerkerb"
+```
+
+---
+
### Configure IPsec tunnel mode
The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it's encrypted by using ESP/DES3.
-**Netsh**
-
-``` syntax
-netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
-$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal
-New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet -DisplayName "esp:sha1-des3" -Proposal $QMProposal
+New-NetIPSecRule -DisplayName "Tunnel from HQ to Dallas Branch" -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
+```
+
+---
+
## Deploy secure firewall rules with IPsec
-In situations where only secure traffic can be allowed through the Windows Defender Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
+In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
### Create a secure firewall rule (allow if secure)
Configuring firewalls rule to allow connections if they're secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec.
-
The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Allow Authenticated Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe security=authenticate action=allow
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
-```
+---
The following command creates an IPsec rule that requires a first (computer) authentication and then attempts an optional second (user) authentication. Creating this rule secures and allows the traffic through the firewall rule requirements for the messenger program.
-**Netsh**
-
-``` syntax
-netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos
+$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos
$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
-$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop
+$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName "Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop
$ukerbauthprop = New-NetIPsecAuthProposal -User -Kerberos
$unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM
$anonyauthprop = New-NetIPsecAuthProposal -Anonymous
-$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName “User Auth” -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
-New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name
+$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName "User Auth" -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
+New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name -Phase2AuthSet $P2Auth.Name
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
+```
+
+---
+
### Isolate a server by requiring encryption and group membership
To improve the security of the devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain.
-
IPsec can provide this extra layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping.
### Create a firewall rule that requires group membership and encryption
To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or devices on the IPsec rule that enforces authentication.
-
-The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
-
-A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
-
-Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
-
+The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called "Authorized to Access Server." This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
+A Security Descriptor Definition Language (SDDL) string is created by extending a user or group's security identifier (SID). For more information about finding a group's SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
+Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall and/or IPsec policies.
The following example shows you how to create an SDDL string that represents security groups.
-Windows PowerShell
-
```powershell
-$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”)
+$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
```
By using the previous scriptlet, you can also get the SDDL string for a secure computer group as shown here:
-Windows PowerShell
-
```powershell
$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
```
For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730940(v=technet.10)).
-
Telnet is an application that doesn't provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This firewall rule is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application.
-
In this example, we allow only authenticated and encrypted inbound Telnet traffic from a specified secure user group through the creation of the following firewall rule.
-**Netsh**
-
-``` syntax
-netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
-netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Group Members Only” program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation
+New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\Server_Isolation
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
+netsh advfirewall firewall add rule name="Allow Encrypted Inbound Telnet to Group Members Only" program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
+```
+
+---
+
### Endpoint security enforcement
The previous example showed end to end security for a particular application. In situations where endpoint security is required for many applications, having a firewall rule per application can be cumbersome and difficult to manage. Authorization can override the per-rule basis and be done at the IPsec layer.
-
In this example, we set the global IPsec setting to only allow transport mode traffic to come from an authorized user group with the following cmdlet. Consult the previous examples for working with security groups.
-Windows PowerShell
-
```powershell
Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup
```
@@ -628,59 +553,19 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr
### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This override is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)).
-
In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Inbound Secure Bypass Rule" -Direction Inbound -Authentication Required -OverrideBlockRules $true -RemoteMachine $secureMachineGroup -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\domain_isolation
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;;S-1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation
-```
-
-## Other resources
-
-
-For more information about Windows PowerShell concepts, see the following topics.
-
-- [Windows PowerShell Getting Started Guide](/powershell/scripting/overview)
-
-- [Windows PowerShell User Guide](/powershell/scripting/overview)
-
-- [Windows PowerShell About Help Topics](https://go.microsoft.com/fwlink/p/?linkid=113206)
-
-- [about\_Functions](/powershell/module/microsoft.powershell.core/about/about_functions)
-
-- [about\_Functions\_Advanced](/powershell/module/microsoft.powershell.core/about/about_functions_advanced)
-
-- [about\_Execution\_Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies)
-
-- [about\_Foreach](/powershell/module/microsoft.powershell.core/about/about_foreach)
-
-- [about\_Objects](/powershell/module/microsoft.powershell.core/about/about_objects)
-
-- [about\_Properties](/powershell/module/microsoft.powershell.core/about/about_properties)
-
-- [about\_While](/powershell/module/microsoft.powershell.core/about/about_while)
-
-- [about\_Scripts](/powershell/module/microsoft.powershell.core/about/about_scripts)
-
-- [about\_Signing](/powershell/module/microsoft.powershell.core/about/about_signing)
-
-- [about\_Throw](/powershell/module/microsoft.powershell.core/about/about_throw)
-
-- [about\_PSSessions](/powershell/module/microsoft.powershell.core/about/about_pssessions)
-
-- [about\_Modules](/powershell/module/microsoft.powershell.core/about/about_modules)
-
-- [about\_Command\_Precedence](/powershell/module/microsoft.powershell.core/about/about_command_precedence)
-
-
-
-
\ No newline at end of file
+---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
new file mode 100644
index 0000000000..8d1b33190c
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@@ -0,0 +1,178 @@
+---
+title: Configure firewall rules with group policy
+description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
+ms.topic: how-to
+ms.date: 11/21/2023
+---
+
+# Configure rules with group policy
+
+This article contains examples how to configure Windows Firewall rules using the *Windows Firewall with Advanced Security* console.
+
+## Access the Windows Firewall with Advanced Security console
+
+If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
+
+If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select START, type `wf.msc`, and press ENTER.
+
+## Create an inbound ICMP rule
+
+This type of rule allows ICMP requests and responses to be received by devices on the network. To create an inbound ICMP rule:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Inbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
+1. On the **Program** page, select **All programs**, and then select **Next**
+1. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each
+1. Select **Customize**
+1. In the **Customize ICMP Settings** dialog box, do one of the following:
+ - To allow all ICMP network traffic, select **All ICMP types**, and then select **OK**
+ - To select one of the predefined ICMP types, select **Specific ICMP types**, and then select each type in the list that you want to allow. Select **OK**
+ - To select an ICMP type that does not appear in the list, select **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, select **Add**, and then select the newly created entry from the list. Select **OK**
+1. Select **Next**
+1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
+1. On the **Action** page, select **Allow the connection**, and then select **Next**
+1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
+1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+## Create an inbound port rule
+
+This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To create an inbound port rule:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Inbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
+ > [!NOTE]
+ > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+1. On the **Program** page, select **All programs**, and then select **Next**
+ > [!NOTE]
+ > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](#create-an-inbound-program-or-service-rule) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
+1. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number
+ If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.\
+ To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.\
+ When you have configured the protocols and ports, select **Next**.
+1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
+1. On the **Action** page, select **Allow the connection**, and then select **Next**
+1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
+ > [!NOTE]
+ > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
+1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+## Create an outbound port rule
+
+By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. To create an outbound port rule:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Outbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Outbound Rule wizard, select **Custom**, and then select **Next**
+ > [!NOTE]
+ > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+1. On the **Program** page, select **All programs**, and then select **Next**
+1. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number
+ If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. When you've configured the protocols and ports, select **Next**
+1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
+1. On the **Action** page, select **Block the connection**, and then select **Next**
+1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
+1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+## Create an inbound program or service rule
+
+This type of rule allows the program to listen and receive inbound network traffic on any port.
+
+> [!NOTE]
+> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](#create-an-inbound-port-rule) procedure in addition to the steps in this procedure.
+
+To create an inbound firewall rule for a program or service:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Inbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
+ > [!NOTE]
+ > Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+1. On the **Program** page, select **This program path**
+1. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
+1. Do one of the following:
+ - If the executable file contains a single program, select **Next**
+ - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
+ - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, select **Apply to service with this service short name**, and then type the short name for the service in the text box. Select **OK**, and then select **Next**
+
+ > [!IMPORTANT]
+ > To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: `sc qsidtype
This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. |
+| `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host.|
+| `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.
This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet.|
### Configure Hyper-V firewall settings
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
deleted file mode 100644
index c36d7effdf..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment
-description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Identifying Windows Defender Firewall with Advanced Security implementation goals
-
-Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.
-
-The following table lists the three main tasks for articulating, refining, and later documenting your Windows Defender Firewall implementation goals:
-
-
-| Deployment goal tasks | Reference links |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Evaluate predefined Windows Defender Firewall with Advanced Security implementation goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined implementation goals:
|
-| Map one goal or a combination of the predefined implementation goals to an existing Windows Defender Firewall with Advanced Security design. |
|
-| Based on the status of your current infrastructure, document your implementation goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
|
-
-
-
-**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg
new file mode 100644
index 0000000000..0cddf31701
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png b/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png
new file mode 100644
index 0000000000..63a4c5b13b
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif
deleted file mode 100644
index f76182ee25..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg
new file mode 100644
index 0000000000..913bf739dd
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg
new file mode 100644
index 0000000000..2ecd143695
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png
deleted file mode 100644
index c1aa416fdf..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png
deleted file mode 100644
index 5c8f858f52..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png
deleted file mode 100644
index cfc1daea37..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png
deleted file mode 100644
index 85f7485479..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png
deleted file mode 100644
index 74c49fab7b..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png b/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png
deleted file mode 100644
index ba2de148f1..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg
new file mode 100644
index 0000000000..f70257047f
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif
deleted file mode 100644
index a27d8b9d9e..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg
new file mode 100644
index 0000000000..93648081fa
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg
new file mode 100644
index 0000000000..4206f50489
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png b/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png
deleted file mode 100644
index e57ad13f93..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png b/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png
deleted file mode 100644
index d6679e1e0e..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png b/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png
deleted file mode 100644
index ca61aae7e2..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png b/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png
new file mode 100644
index 0000000000..e32ca05ca8
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif
deleted file mode 100644
index 3d44049fa2..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design3example1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design3example1.gif
deleted file mode 100644
index cd11758ff4..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design3example1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designexample1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designexample1.gif
deleted file mode 100644
index f2f730c70f..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designexample1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designflowchart1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designflowchart1.gif
deleted file mode 100644
index 369d0de563..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designflowchart1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainiso.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainiso.gif
deleted file mode 100644
index dd3040653f..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainiso.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisoencrypt.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisoencrypt.gif
deleted file mode 100644
index 3ba2beae45..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisoencrypt.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisohighsec.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisohighsec.gif
deleted file mode 100644
index 49fae4ab6b..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisohighsec.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainnag.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainnag.gif
deleted file mode 100644
index 9e35fbc193..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainnag.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-implement.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-implement.gif
deleted file mode 100644
index 5a90b2fb97..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-implement.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png
new file mode 100644
index 0000000000..f1ff86b5ad
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfasdomainisoboundary.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfasdomainisoboundary.gif
deleted file mode 100644
index 3c4c855649..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfasdomainisoboundary.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/windows-firewall-intune.png b/windows/security/operating-system-security/network-security/windows-firewall/images/windows-firewall-intune.png
deleted file mode 100644
index bda6e08768..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/windows-firewall-intune.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/windows-security.png b/windows/security/operating-system-security/network-security/windows-firewall/images/windows-security.png
new file mode 100644
index 0000000000..7270e7e4e7
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/windows-security.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
deleted file mode 100644
index 8f0342581b..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-
-
-The following are important factors in the implementation of your Windows Defender Firewall design plan:
-
-- **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
-
-- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone.
-
-- **Devices running operating systems other than Windows**. If your network includes devices that aren't running the Windows operating system, then you must make sure that required communication with those devices isn't blocked by the restrictions put in place by your design. You must implement one of the following steps:
-
- - Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used.
-
- - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device can't participate in the isolated domain design.
-
-## How to implement your Windows Defender Firewall with Advanced Security design using this guide
-
-
-The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
-
-
-
-Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
-
-- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
-
-- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-
-- [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
-
-- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-
-The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md
new file mode 100644
index 0000000000..856de36d53
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@@ -0,0 +1,91 @@
+---
+title: Windows Firewall overview
+description: Learn overview information about the Windows Firewall security feature.
+ms.topic: overview
+ms.date: 11/21/2023
+---
+
+# Windows Firewall overview
+
+Windows Firewall is a security feature that helps to protect your device by filtering network traffic that enters and exits your device. This traffic can be filtered based on several criteria, including source and destination IP address, IP protocol, or source and destination port number. Windows Firewall can be configured to block or allow network traffic based on the services and applications that are installed on your device. This allows you to restrict network traffic to only those applications and services that are explicitly allowed to communicate on the network.
+
+Windows Firewall is a host-based firewall that is included with the operating system and enabled by default on all Windows editions.
+
+Windows Firewall supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't be authenticated as a *trusted device* can't communicate with your device. You can use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+
+:::row:::
+ :::column span="2":::
+ Windows Firewall also works with [Network Location Awareness][NLA] so that it can apply security settings appropriate to the types of networks to which the device is connected. For example, Windows Firewall can apply the *public network* profile when the device is connected a coffee shop wi-fi, and the *private network* profile when the device is connected to the home network. This allows you to apply more restrictive settings to public networks to help keep your device secure.
+
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/windows-security.png" alt-text="Screenshot showing the Windows Security app." lightbox="images/windows-security.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+## Practical applications
+
+Windows Firewall offers several benefits to address your organization's network security challenges:
+
+- Reduced risk of network security threats: By reducing the attack surface of a device, Windows Firewall provides an additional layer of defense to the defense-in-depth model. This increases manageability and decreases the likelihood of a successful attack
+- Protection of sensitive data and intellectual property: Windows Firewall integrates with IPsec to provide a simple way to enforce authenticated, end-to-end network communications. This allows for scalable, tiered access to trusted network resources, helping to enforce data integrity and, if necessary, protect data confidentiality
+- Extended value of existing investments: Windows Firewall is a host-based firewall included with the operating system, so no additional hardware or software is required. It's also designed to complement existing non-Microsoft network security solutions through a documented API
+
+[!INCLUDE [windows-firewall](../../../../../includes/licensing/windows-firewall.md)]
+
+## Concepts
+
+The default behavior of Windows Firewall is to:
+
+- block all incoming traffic, unless solicited or matching a *rule*
+- allow all outgoing traffic, unless matching a *rule*
+
+### Firewall rules
+
+*Firewall rules* identify allowed or blocked network traffic, and the conditions for this to happen. The rules offer an extensive selection of conditions to identify traffic, including:
+
+- Application, service or program name
+- Source and destination IP addresses
+- Can make use dynamic values, like default gateway, DHCP servers, DNS servers and local subnets
+- Protocol name or type. For transport layer protocols, TCP and UDP, you can specify ports or port ranges. For custom protocols, you can use a number between 0 and 255 representing the IP protocol
+- Interface type
+- ICMP/ICMPv6 traffic type and code
+
+### Firewall profiles
+
+Windows Firewall offers three network profiles: domain, private and public. The network profiles are used to assign rules. For example, you can allow a specific application to communicate on a private network, but not on a public network.
+
+#### :::image type="icon" source="images/domain-network.svg" border="false"::: Domain network
+
+The *domain network* profile is automatically applied to a device that is joined to an Active Directory domain, when it detects the availability of a domain controller. This network profile cannot be set manually.
+
+> [!TIP]
+> Another option to detect the *domain network* is to configure the policy settings in the [NetworkListManager Policy CSP][CSP-1], which applies to Microsoft Entra joined devices too.
+
+#### :::image type="icon" source="images/private-network.svg" border="false"::: Private network
+
+The *private network* profile is designed for private networks such as a home network. It can be set manually on a network interface by an administrator.
+
+#### :::image type="icon" source="images/public-network.svg" border="false"::: Public network
+
+The *public network* profile is designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, etc. It's the default profile for unidentified networks.
+
+> [!TIP]
+> Use the PowerShell cmdlet `Get-NetConnectionProfile` to retrieve the active network category (`NetworkCategory`). Use the PowerShell cmdlet `Set-NetConnectionProfile` to switch the category between *private* and *public*.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn about Windows Firewall rules and design recommendations:
+>
+> [Windows Firewall rules >](rules.md)
+
+## :::image type="icon" source="images/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Windows Firewall, open [**Feedback Hub**][FHUB] (WIN+F) and use the category **Security and Privacy** > **Network protection**.
+
+
+
+[FHUB]: feedback-hub:?tabid=2&newFeedback=true
+[NLA]: /windows/win32/winsock/network-location-awareness-service-provider-nla--2
+[CSP-1]: /windows/client-management/mdm/policy-csp-networklistmanager
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md
deleted file mode 100644
index bc7273b8b5..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: Isolated Domain GPOs
-description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Isolated Domain GPOs
-
-
-All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
-
-Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section.
-
-The GPOs created for the Woodgrove Bank isolated domain include:
-
-- [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md)
-
-- [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md
deleted file mode 100644
index 9925b88452..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Isolated Domain
-description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Isolated Domain
-
-**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.
-
-The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution, the two constructs are similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain.
-
-For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those requirements of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones.
-
-You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
-
-The GPOs for the isolated domain should contain the following connection security rules and settings.
-
-## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008
-
-
-GPOs for devices running at least Windows Vista and Windows Server 2008 should include:
-
-- IPsec default settings that specify the following options:
-
- 1. Exempt all ICMP traffic from IPsec.
-
- 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
-
- 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
-
- If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
-
- 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members can't use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method.
-
-- The following connection security rules:
-
- - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment.
-
- - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
-
- >**Important:** Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out.
-
-- A registry policy that includes the following values:
-
- - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
-
- >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
-
-**Next:** [Boundary Zone](boundary-zone.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md b/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md
deleted file mode 100644
index 225ddf3542..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md
+++ /dev/null
@@ -1,244 +0,0 @@
----
-title: Isolating Microsoft Store Apps on Your Network
-description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Isolating Microsoft Store Apps on Your Network
-
-
-When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
-
-For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
-
-The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
-
-When creating new Microsoft Store apps, a developer can define the following network capabilities for their app:
-
-- **Home\\Work Networking**
-
- Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller.
-
-- **Internet (Client)**
-
- Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability.
-
-- **Internet (Client and Server)**
-
- Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled.
-
-- **Proximity**
-
- Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device.
-
-**In this topic**
-
-To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules.
-
-- [Prerequisites](#prerequisites)
-
-- [Step 1: Define your network](#step-1-define-your-network)
-
-- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
-
-## Prerequisites
-
-- A domain controller is installed on your network, and your devices are joined to the Windows domain.
-
-- Your Microsoft Store app is installed on the client device.
-
-- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
-
- >**Note:** You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-
-
-## Step 1: Define your network
-
-The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately.
-
-A network endpoint is considered part of the **Home\\Work Network** if:
-
-- It is part of the local subnet of a trusted network.
-
- For example, home users generally flag their network as Trusted. Local devices will be designated as such.
-
-- A device is on a network, and it is authenticated to a domain controller.
-
- - Endpoints within the intranet address space are considered private.
-
- - Endpoints within the local subnet are considered private.
-
-- The device is configured for DirectAccess, and the endpoint is part of the intranet address space.
-
-The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative.
-
-Any proxies that you configure or that are automatically configured with proxy autoconfiguration (by using Web Proxy Auto-Discovery (WPAD) protocol) are exempt from the intranet zone. You can add proxy addresses by using Group Policy.
-
-All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet.
-
-**To configure a GPO that defines your intranet address space**
-
-1. Open the Group Policy Management snap-in (gpmc.msc), right click on the Group Policy you want to use to define your address space, and select **Edit**.
-
-2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**.
-
-3. In the right pane, double-click **Private network ranges for apps**.
-
-4. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary.
-
- For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box.
-
-5. Double-click **Subnet definitions are authoritative**.
-
- If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics.
-
-**To configure the proxy addresses for the intranet and Internet**
-
-1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons.
-
-2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons.
-
-3. Double-click **Proxy definitions are authoritative**.
-
- If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics.
-
-## Step 2: Create custom firewall rules
-
-Microsoft Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
-
-The following table provides a complete list of the possible app capabilities.
-
-| Capability | Name | Description |
-| - | - | - |
-| **Internet (Client)** | internetClient | Your outgoing Internet connection.|
-| **Internet (Client & Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared.
-| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.|
-| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.|
-| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.|
-| **Video Library Access**| videosLibrary| Your Videos library, including the capability to add, change, or delete files.|
-| **Music Library Access**| musicLibrary|Your Music library, including the capability to add, change, or delete files.|
-| **Default Windows Credentials**| defaultWindowsCredentials| Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.|
-| **Removable Storage** | removableStorage| A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.|
-| **Shared User Certificates**| sharedUserCertificates| Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.|
-| **Location**| location| Provides access to the user's current location.|
-| **Microphone** | microphone| Provides access to the microphone's audio feed.|
-| **Near-field Proximity** | proximity| Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.|
-| **Text Messaging** | sms| Provides access to text messaging functionality.|
-| **Webcam** | webcam| Provides access to the webcam's video feed.|
-| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.|
-
-You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Microsoft Store app.
-
-For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
-
-**To block Internet access for any apps on your network that have the Documents Library capability**
-
-1. Open the Group Policy Management snap-in (gpmc.msc).
-
-2. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**.
-
-3. Type a name for the GPO in the **Name** text box, and then click **OK**.
-
-4. Right-click the new GPO, and then click **Edit**.
-
-5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall – LDAP://…**
-
-6. Right-click **Outbound Rules**, and then click **New Rule**.
-
-7. Click **Custom**, and then click **Next**.
-
-8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
-
-9. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**.
-
-10. On the **Profile** page, click **Next**.
-
-11. On the **Name** page, type a name for your rule, and then click **Finish**.
-
-12. In the right pane, right-click your new rule and click **Properties**.
-
-13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
-
-14. Click **Application Package Properties**, and then click **OK**.
-
-15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**.
-
-16. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**.
-
-17. Click **Predefined set of computers**, select **Internet**, and click **OK**.
-
- This scopes the rule to block traffic to Internet devices.
-
-18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**.
-
-19. Click **Apply to application packages only**, and then click **OK**.
-
- >**Important:** You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
-
-20. Click **OK** to close the **Properties** dialog box.
-
-21. Close the Group Policy Management Editor.
-
-22. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**.
-
-23. Under **Security Filtering**, click **Add**.
-
-24. Type **domain computers** in the text box, and then click **OK**.
-
-25. Close the Group Policy Management snap-in.
-
-Use the following procedure if you want to block intranet access for a specific media sharing app on your network.
-
-**To block intranet access for a specific media sharing app on your network**
-
-1. Open the Group Policy Management snap-in (gpmc.msc).
-
-2. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**.
-
-3. Type a name for your GPO in the **Name** text box, and then click **OK**.
-
-4. Right-click your new GPO, and then click **Edit**.
-
-5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall – LDAP://**…
-
-6. Right-click **Outbound Rules**, and then click **New Rule**.
-
-7. Click **Custom**, and then click **Next**.
-
-8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
-
-9. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**.
-
-10. On the **Profile** page, click **Next**.
-
-11. On the **Name** page, type a name for your rule, and then click **Finish**.
-
-12. In the right pane, right-click your new rule, and then click **Properties**.
-
-13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
-
-14. Click **Application Package Properties**, and then click **OK**.
-
-15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**.
-
-16. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**.
-
-17. Click **Apply to this application package**, select the app in the text box, and then click **OK**.
-
-18. Click **OK** to close the **Properties** dialog box.
-
-19. Close the Group Policy Management Editor.
-
-20. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**.
-
-21. Under **Security Filtering**, click **Add**.
-
-22. Type **domain computers** in the text box and click **OK**.
-
-23. Close Group Policy Management.
-
-## See also
-
-- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md
deleted file mode 100644
index ca38900f59..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Link the GPO to the Domain
-description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Link the GPO to the Domain
-
-
-After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
-
-If the filters comprehensively control the application of the GPO to only the correct devices, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of devices.
-
-**Administrative credentials**
-
-To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs.
-
-To link the GPO to the domain container in Active Directory
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*.
-
-3. Right-click *YourDomainName*, and then click **Link an Existing GPO**.
-
-4. In the **Select GPO** dialog box, select the GPO that you want to deploy, and then click **OK**.
-
-5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane.
-
-6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
deleted file mode 100644
index 438921b4cf..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Mapping your implementation goals to a Windows Firewall with Advanced Security design
-description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Mapping your implementation goals to a Windows Firewall with Advanced Security design
-
-
-After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
-> [!IMPORTANT]
-> The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
-
-Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security implementation goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security implementation goals to meet the needs of your organization.
-
-| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design |
-| - |- | - | - | - |
-| [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes|
-| [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) | -| Yes| Yes| Yes|
-| [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)| -| -| Yes| Yes|
-| [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional|
-
-To examine details for a specific design, click the design title at the top of the column in the preceding table.
-
-**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
deleted file mode 100644
index 90d89139a8..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Modify GPO Filters
-description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Modify GPO Filters to Apply to a Different Zone or Version of Windows
-
-
-You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-In this topic:
-
-- [Change the security group filter for a GPO](#to-change-the-security-group-filter-for-a-gpo)
-
-- [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo)
-
-- [Remove a block for members of a group from applying a GPO](#to-remove-a-block-for-members-of-group-from-applying-a-gpo)
-
-## To change the security group filter for a GPO
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, find and then click the GPO that you want to modify.
-
-3. In the details pane, under **Security Filtering**, click the currently assigned security group, and then click **Remove**.
-
-4. Now you can add the appropriate security group to this GPO. Under **Security Filtering**, click **Add**.
-
-5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
-
-## To block members of a group from applying a GPO
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, find and then click the GPO that you want to modify.
-
-3. In the details pane, click the **Delegation** tab.
-
-4. Click **Advanced**.
-
-5. Under the **Group or user names** list, click **Add**.
-
-6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
-
-7. Select the group in the **Group or user names** list, and then select the boxes in the **Deny** column for both **Read** and **Apply group policy**.
-
-8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
-
-9. The group appears in the list with custom permissions.
-
-## To remove a block for members of group from applying a GPO
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, find and then click the GPO that you want to modify.
-
-3. In the details pane, click the **Delegation** tab.
-
-4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**.
-
-5. In the message box, click **OK**.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
deleted file mode 100644
index a9137e37d3..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: Open the Group Policy Management Console to IP Security Policies
-description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Open the Group Policy Management Console to IP Security Policies
-
-
-Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
-
-**To open a GPO to the IP Security Policies section**
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
-
-3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (**YourDomainName**)**.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
deleted file mode 100644
index 49aee564d3..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Group Policy Management of Windows Firewall with Advanced Security
-description: Group Policy Management of Windows Firewall with Advanced Security
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier3
- - must-keep
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Group Policy Management of Windows Firewall with Advanced Security
-
-
-Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
-
-To open a GPO to Windows Firewall with Advanced Security
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
-
-3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={**GUID**},cn=…**.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
deleted file mode 100644
index 9ba7d78ace..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Group Policy Management of Windows Defender Firewall
-description: Group Policy Management of Windows Defender Firewall with Advanced Security
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Group Policy Management of Windows Defender Firewall
-
-
-To open a GPO to Windows Defender Firewall:
-
-1. Open the Group Policy Management console.
-
-2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
-
-3. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md
deleted file mode 100644
index 8440460338..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Open Windows Defender Firewall with Advanced Security
-description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Open Windows Defender Firewall with Advanced Security
-
-
-This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
-
-**Administrative credentials**
-
-To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
-
-## To open Windows Defender Firewall using the UI
-
-Click Start, type **Windows Defender Firewall**, and then press ENTER.
-
-## To open Windows Defender Firewall from a command prompt
-
-1. Open a command prompt window.
-
-2. At the command prompt, type:
-
- ``` syntax
- wf.msc
- ```
-
-**Additional considerations**
-
-Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md
deleted file mode 100644
index da42f627c0..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Planning Certificate-based Authentication
-description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Certificate-based Authentication
-
-
-Sometimes a device can't join an Active Directory domain, and therefore can't use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
-
-The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device.
-
-Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS).
-
-## Deploying certificates
-
-No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate.
-
-### Using Active Directory Certificate Services
-
-If you use AD CS to create your own user and device certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member devices. Device certificates are deployed when a domain member device starts. User certificates are deployed when a user logs on.
-
-If you want non-domain member devices to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each device or user includes enough identification information to enable IPsec to match the certificate to both user and device accounts.
-
-AD CS automatically ensures that certificates issued by the CAs are trusted by the client devices by putting the CA certificates in the correct store on each domain member device.
-
-### Using a commercially purchased certificate for devices running Windows
-
-You can import the certificates manually onto each device if the number of devices is relatively small. For a deployment to more than a handful of devices, use Group Policy.
-
-You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each device that applies the GPO.
-
-You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each device that applies the GPO.
-
-### Using a commercially purchased certificate for devices running a non-Windows operating system
-
-If you're installing the certificates on an operating system other than Windows, see the documentation for that operating system.
-
-## Configuring IPsec to use the certificates
-
-When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution.
-
-Starting in Windows Server 2012, you can configure certificate selection criteria so the desired certificate is selected and/or validated. extended key usage (EKU) criteria can be configured, and name restrictions and certificate thumbprints. This EKU is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
-
-**Next:** [Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md
deleted file mode 100644
index 70214d68c5..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Planning Domain Isolation Zones
-description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Domain Isolation Zones
-
-
-After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
-
-The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic.
-
-The zones described in this guide include:
-
-- [Exemption List](exemption-list.md)
-
-- [Isolated Domain](isolated-domain.md)
-
-- [Boundary Zone](boundary-zone.md)
-
-- [Encryption Zone](encryption-zone.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md
deleted file mode 100644
index 0370e8cb08..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Planning GPO Deployment
-description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning GPO Deployment
-
-
-You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
-
-- **Active Directory organizational unit hierarchy**. This method involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO.
-
- Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling.
-
-- **Security group filtering**. This method involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO.
-
- The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO.
-
-- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a device is a member of the result set when the WMI filter query runs, the GPO is applied to the device.
-
- A WMI filter consists of one or more conditions that are evaluated against the local device. You can check almost any characteristic of the device, its operating system, and its installed programs. If all of the specified conditions are true for the device, the GPO is applied; otherwise the GPO is ignored.
-
-This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied.
-
-## General considerations
-
-- Deploy your GPOs before you add any device accounts to the groups that receive the GPOs. That way you can add your devices to the groups in a controlled manner. Be sure to add only a few test devices at first. Before adding many group members, examine the results on the test devices and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue.
-
-## Test your deployed groups and GPOs
-
-After you've deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members:
-
-- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt.
-
-- Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
-
-- Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
-
-- Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
-
-- Verify that your programs are unaffected. Run them and confirm that they still work as expected.
-
-After you've confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices.
-
-## Don't enable require mode until deployment is complete
-
-If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec.
-
-If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications.
-
-Only after you've added all of the devices to their zones, and you've confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it's required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they're functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain.
-
-Don't change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections.
-
-If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups.
-
-## Example Woodgrove Bank deployment plans
-
-Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of devices. All of the GPOs have the User Configuration section disabled to improve performance.
-
-### GPO\_DOMISO\_Firewall
-
-- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
-
- `select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"`
-
- >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices running versions of Windows earlier than Windows Vista and Windows Server 2008.
-
-- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC.
-
-### GPO\_DOMISO\_IsolatedDomain\_Clients
-
-- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
-
- `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"`
-
-- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
-
-### GPO\_DOMISO\_IsolatedDomain\_Servers
-
-- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
-
- `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
-
- >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
-
-- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
-
-### GPO\_DOMISO\_Boundary
-
-- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
-
- `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
-
- >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
-
-- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
-
-### GPO\_DOMISO\_Encryption
-
-- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
-
- `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
-
- >**Note:** This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
-
-- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to devices that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
deleted file mode 100644
index 2dc15edfc9..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: Planning Group Policy Deployment for Your Isolation Zones
-description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Group Policy Deployment for Your Isolation Zones
-
-
-After you've decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
-
-You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you'll ensure that the policies will only apply to the correct devices within each group.
-
-- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
-
-- [Planning Network Access Groups](planning-network-access-groups.md)
-
-- [Planning the GPOs](planning-the-gpos.md)
-
-- [Planning GPO Deployment](planning-gpo-deployment.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md
deleted file mode 100644
index b58bf3b769..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Planning Isolation Groups for the Zones
-description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Isolation Groups for the Zones
-
-
-Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group that represents that zone.
-
-> [!CAUTION]
-> Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others.
-
-Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead.
-
-The following table lists typical groups that can be used to manage the domain isolation zones discussed in the Woodgrove Bank example in this guide:
-
-| Group name | Description |
-| - | - |
-| CG_DOMISO_No_IPsec | A universal group of device accounts that don't participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
This group is used in security group filters to ensure that GPOs with IPsec rules aren't applied to group members.|
-| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
During the early days of testing, this group might contain only a small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
Members of this group receive the domain isolation GPO that requires authentication for inbound connections.|
-| CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.
Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.
-| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
There will be one group for each set of servers that have different user and device restriction requirements. |
-
-Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md).
-
-If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it's more specific.
-
-**Next:** [Planning Network Access Groups](planning-network-access-groups.md)
-
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md
deleted file mode 100644
index 436bc55bbd..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Planning Network Access Groups
-description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Network Access Groups
-
-
-A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
-
-Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the devices or users that are granted access. You can optionally split the NAG into two different groups: one for authorized devices and one for authorized users.
-
-The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership.
-
-For the Woodgrove Bank scenario, access to the devices running SQL Server which support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They're also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service.
-
-| NAG Name | NAG Member Users, Computers, or Groups | Description |
-| - | - | - |
-| CG_NAG_*ServerRole*_Users| Svr1AdminA
Svr1AdminB
Group_AppUsers
AppSvcAccount| This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.|
-| CG_NAG_*ServerRole*_Computers| Desktop1
Desktop2
AdminDT1
AppAdminDT1| This group contains all devices that are authorized to make inbound IPsec connections to the isolated servers in this zone.|
-
->**Note:** Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
-
-**Next:** [Planning the GPOs](planning-the-gpos.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md
deleted file mode 100644
index c729611dac..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Planning Server Isolation Zones
-description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Server Isolation Zones
-
-
-Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
-
-The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices.
-
-To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This invocation causes IKE to use Kerberos V5 to exchange credentials with the server. The other firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device isn't a member of a required NAG, then the network connection is refused.
-
-## Isolated domains and isolated servers
-
-If you're using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user.
-
-If you aren't using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG.
-
-## Creating multiple isolated server zones
-
-Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone.
-
-## Creating the GPOs
-
-Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
-
-An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members.
-
-### GPO settings for isolated servers running at least Windows Server 2008
-
-GPOs for devices running at least Windows Server 2008 should include:
-
->**Note:** The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone.
-
-- IPsec default settings that specify the following options:
-
- 1. Exempt all ICMP traffic from IPsec.
-
- 2. Key exchange (main mode) security methods and algorithm. We recommend that you don't include Diffie-Hellman Group 1, DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
-
- 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
-
- If any NAT devices are present on your networks, don't use AH because it can't traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs.
-
- 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Don't make the user-based authentication method mandatory, or else devices that can't use AuthIP instead of IKE, including Windows XP and Windows Server 2003, can't communicate. Likewise, if any of your domain isolation members can't use Kerberos V5, include certificate-based authentication as an optional authentication method.
-
-- The following connection security and firewall rules:
-s
- - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
-
- - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
-
- >**Important:** Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.
-
- - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both device and user network access groups.
-
-- A registry policy that includes the following values:
-
- - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
-
- >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
-
-**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
deleted file mode 100644
index 98e6a224a8..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Planning Settings for a Basic Firewall Policy
-description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Settings for a Basic Firewall Policy
-
-
-After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
-
-The following list is that of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis:
-
-- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they aren't on the organization's network, you can't fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization.
-
- >**Important:** We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices.
-
-- **Firewall state: On**. We recommend that you prevent the user from turning it off.
-
-- **Default behavior for Inbound connections: Block**. We recommend that you enforce the default behavior of blocking unsolicited inbound connections. To allow network traffic for a specific program, create an inbound rule that serves as an exception to this default behavior.
-
-- **Default behavior for Outbound connections: Allow**. We recommend that you enforce the default behavior of allowing outbound connections.
-
-- **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise.
-
-- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this setting to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows doesn't create a new firewall rule and the traffic remains blocked.
-
- If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs, then you can set this value to **No**.
-
-- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
-
-- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions.
-
-- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program can't receive unexpected traffic on a different port.
-
- Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they don't open up more ports than are required.
-
- >**Important:** If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application.
-
-- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
-
-**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md
deleted file mode 100644
index 88716eaf2a..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Planning the GPOs
-description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning the GPOs
-
-
-When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
-
-## General considerations
-
-A few things to consider as you plan the GPOs:
-
-- Don't allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This receipt of multiple GPOs can result in unexpected, and difficult to troubleshoot behavior.
-
- The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones.
-
-- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The devices will negotiate down from the top of their lists, selecting one that is configured on both devices.
-
-- The primary difference in your domain isolation GPOs is whether the rules request or require authentication.
-
- >**Caution:** It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone.
-
-- Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
-
-*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10 and Windows 11.
-
- > [!NOTE]
- > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
-
-After you consider these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
-
-## Woodgrove Bank example GPOs
-
-The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
-
-In this section you can find information about:
-
-- [Firewall GPOs](firewall-gpos.md)
-
-- [Isolated Domain GPOs](isolated-domain-gpos.md)
-
-- [Boundary Zone GPOs](boundary-zone-gpos.md)
-
-- [Encryption Zone GPOs](encryption-zone-gpos.md)
-
-- [Server Isolation GPOs](server-isolation-gpos.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
deleted file mode 100644
index 7e7bff476d..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Plan to Deploy Windows Defender Firewall with Advanced Security
-description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning to Deploy Windows Defender Firewall with Advanced Security
-
-
-After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization.
-
-## Reviewing your Windows Defender Firewall with Advanced Security Design
-
-If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment.
-
-### Decide which devices apply to which GPO
-
-The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
-
-- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
-
-- [Planning the GPOs](planning-the-gpos.md)
-
-- [Planning GPO Deployment](planning-gpo-deployment.md)
-
-### Configure communication between members and devices
-
-Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that aren't part of the isolated domain or members of the isolated domain's exemption list.
-
-### Exempt domain controllers from IPsec authentication requirements
-
-It's recommended that domain controllers are exempt from IPsec authentication requirements. If they aren't exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
-
-### Configure IPsec authentication rules
-
-The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated.
-
-### Make sure all devices can communicate with each other
-
-For all devices to communicate with each other, they must share a common set of:
-
-- Authentication methods
-
-- Main mode key exchange algorithms
-
-- Quick mode data integrity algorithms
-
-If at least one set of each doesn't match between two devices, then the devices can't successfully communicate.
-
-## Deploy your Windows Firewall Design Plan
-
-After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
deleted file mode 100644
index e048764374..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Planning Your Windows Defender Firewall with Advanced Security Design
-description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Planning Your Windows Defender Firewall with Advanced Security Design
-
-
-After you've gathered the relevant information in the previous sections, and understood the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
-
-## Basic firewall design
-
-We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization.
-
-When you're ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section.
-
-## Algorithm and method support and selection
-
-To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, and their relative strengths.
-
-## IPsec performance considerations
-
-Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This reduction is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
-
-IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This configuration frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
-
-## Domain isolation design
-
-
-Include this design in your plans:
-
-- If you have an Active Directory domain of which most of the devices are members.
-
-- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that aren't part of the domain.
-
-If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you're sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you're troubleshooting.
-
-When you're ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
-
-## Server isolation design
-
-
-Include this design in your plans:
-
-- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices.
-
-- You aren't deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices.
-
-If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the other server isolation elements.
-
-When you're ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section.
-
-## Certificate-based authentication design
-
-
-Include this design in your plans:
-
-- If you want to implement some of the elements of domain or server isolation on devices that aren't joined to an Active Directory domain, or don't want to use domain membership as an authentication mechanism.
-
-- You have an isolated domain and want to include a server that isn't a member of the Active Directory domain because the device isn't running Windows, or for any other reason.
-
-- You must enable external devices that aren't managed by your organization to access information on one of your servers in a secure way.
-
-If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it.
-
-When you're ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section.
-
-## Documenting your design
-
-After you finish selecting the designs that you'll use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
-
-- [Documenting the Zones](documenting-the-zones.md)
-
-## Designing groups and GPOs
-
-
-After you've selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you'll use to apply the settings and rules to your devices.
-
-When you're ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
-
-**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md
deleted file mode 100644
index ee0412021e..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Protect devices from unwanted network traffic
-description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 01/18/2022
----
-
-# Protect devices from unwanted network traffic
-
-
-Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall can't protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable devices are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
-
-Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/security-intelligence-report).
-
-Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide extra protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it's away from the organization's network.
-
-A host-based firewall helps secure a device by dropping all network traffic that doesn't match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits:
-
-- Network traffic that is a reply to a request from the local device is permitted into the device from the network.
-
-- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the device from the network.
-
- For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program.
-
-- Outbound network traffic that isn't blocked is allowed on the network.
-
- For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted.
-
-The following component is recommended for this deployment goal:
-
-- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain.
-
-Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to large organizations.
-
-**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
index 093f4274fb..83f92a658f 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
@@ -1,22 +1,19 @@
---
title: Quarantine behavior
-description: Quarantine behavior is explained in detail.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
+description: Learn about Windows Firewall and the quarantine feature behavior.
+ms.topic: concept-article
+ms.date: 11/21/2023
---
# Quarantine behavior
-One of the security challenges that network admins face is configuring a machine properly after a network change.
+One of the security challenges that network admins face is configuring a device properly after a network change.
-Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This requirement by operations is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities.
+Network changes can happen frequently. The operations required to recategorize the network after a change, and apply the correct security policies on a device, are nontrivial and might require considerable CPU time. This requirement by operations is especially true for devices that are part of a domain. The delay in applying security policies during network recategorization can be exploited for vulnerabilities.
-To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network, and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
+To counter the potential exploitation, Windows Firewall quarantines an interface until the system successfully recategorizes the network, and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked.
-While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations.
-
-Ultimately, the goal of this document is to describe the quarantine feature at a high level and help network admins understand why the application traffic is sometimes blocked by quarantine.
+This document describes the quarantine feature and explains why the application traffic could be blocked by quarantine.
## Quarantine filters
@@ -24,58 +21,50 @@ The quarantine feature creates filters that can be split into three categories:
- Quarantine default inbound block filter
- Quarantine default exception filters
-- Interface un-quarantine filters
+- Interface unquarantine filters
-These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers are:
+These filters are added in the `FWPM_SUBLAYER_MPSSVC_QUARANTINE` sublayer and these layers are:
-1. FWPM_LAYER_ALE_AUTH_CONNECT_V4
-
-2. FWPM_LAYER_ALE_AUTH_CONNECT_V6
-
-3. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
-
-4. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
+1. `FWPM_LAYER_ALE_AUTH_CONNECT_V4`
+1. `FWPM_LAYER_ALE_AUTH_CONNECT_V6`
+1. `FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4`
+1. `FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6`
>[!NOTE]
-> Any firewall rules added by the customers will not affect the filters in the quarantine sublayer as filters from Firewall rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
+> Any firewall rules added by policy settings don't affect the filters in the quarantine sublayer. Filters from firewall rules are added in the `FWPM_SUBLAYER_MPSSVC_WF` sublayer. In other words, you can't add your own exception filters to prevent packets from being evaluated by quarantine filters.
For more information about WFP layers and sublayers, see [WFP Operation](/windows/win32/fwp/basic-operation).
### Quarantine default inbound block filter
-The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet isn't explicitly permitted by another filter in the quarantine sublayer.
+The *quarantine default inbound block filter* blocks any new nonloopback inbound connections, unless the packet isn't explicitly permitted by another filter in the quarantine sublayer.
### Quarantine default exception filters
-When the interface is in quarantine state, the quarantine default exception filters will permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
+When the interface is in quarantine state, the quarantine default exception filters permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
-### Interface un-quarantine filter
+### Interface unquarantine filter
-The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized.
+The interface unquarantine filters allow all nonloopback packets if the interface is successfully categorized.
## Quarantine flow
-The following events describe the general flow of quarantine:
+The following events describe the general flow of quarantine:
-1. There's some change on the current network interface.
-
-2. The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state.
-
-3. All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter.
-
-4. The WFP filters applicable to the old interface state are removed.
-
-5. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state.
-
-6. The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets.
+1. There's some change on the current network interface
+1. The interface unquarantine filters don't permit new inbound connections. The interface is now in quarantine state
+1. All nonloopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter
+1. The WFP filters applicable to the old interface state are removed
+1. The WFP filters applicable to the new interface state are added, which include the unquarantine filters for this interface. These filters are updated to match the interface's current state
+1. The interface has now exited quarantine state as the interface unquarantine filters permit any new nonloopback packets
## Quarantine diagnostics
There are two methods of identifying packet drops from the quarantine default inbound block filter.
-Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
+Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
-```console
+```cmd
Netsh wfp cap start
Private Profile`./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileallowlocalpolicymerge)
Public Profile `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileallowlocalipsecpolicymerge) |
+| **GPO** | **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security**|
+
+Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation.
+
+> [!IMPORTANT]
+> If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
+
+It's important to create and maintain a list of such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex deployments, a thorough analysis might be needed using network packet capture tools.
+
+In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
+
+> [!NOTE]
+> The use of wildcard patterns, such as `C:\*\teams.exe` isn't supported in application rules. You can only create rules using the full path to the application(s).
+
+## Firewall rules recommendations
+
+Here's a list of recommendations when designing your firewall rules:
+
+- Maintain the default Windows Firewall settings whenever possible. The settings are designed to secure your device for use in most network scenarios. One key example is the default *block behavior* for inbound connections.
+- Create your rules in all three profiles, but only enable the firewall rule group on the profiles that suit your scenarios. For example, if you are installing a sharing application that is only used on a private network, then it would be best to create firewall rules in all three profiles, but only enable the firewall rule group containing your rules on the private profile.
+- Configure restrictions on your firewall rules depending on which profile the rules are applied to. For applications and services that are designed to only be accessed by devices within a home or small business network, it's best to modify the remote address restriction to specify *Local Subnet* only. The same application or service wouldn't have this restriction when used in an enterprise environment. This can be done by adding the remote address restriction to rules that are added to the private and public profiles, while leaving them unrestricted in the domain profile. This remote address restriction shouldn't apply to applications or services that require global Internet connectivity.
+- A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
+- When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins.
+- To maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
+
+### Known issues with automatic rule creation
+
+When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience.
+
+The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
+
+To determine why some applications are blocked from communicating in the network, check for the following instances:
+
+1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt
+1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes
+1. [Local policy merge](#local-policy-merge-and-application-rules) is disabled, preventing the application or network service from creating local rules
+
+Creation of application rules at runtime can also be prohibited by administrators using the Settings app or policy settings.
+
+### Outbound rules considerations
+
+What follows are a few general guidelines for configuring outbound rules.
+
+- Changing the outbound rules to *blocked* can be considered for certain highly secure environments. However, the inbound rule configuration should never be changed in a way that allows all traffic by default
+- It's recommended to *allow outbound* by default for most deployments for the sake of simplification with app deployments, unless the organization prefers tight security controls over ease-of-use
+- In high security environments, an inventory of all apps should be logged and maintained. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via GPO or CSP
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn about the tools to configure Windows Firewall and firewall rules:
+>
+> [Configuration tools >](tools.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
deleted file mode 100644
index 43e2f9523d..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ /dev/null
@@ -1,178 +0,0 @@
----
-title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
-description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Securing End-to-End IPsec connections by using IKEv2
-
-
-IKEv2 offers the following:
-
-- Supports IPsec end-to-end transport mode connections
-
-- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
-
-- Supports Suite B (RFC 4869) requirements
-
-- Coexists with existing policies that deploy AuthIP/IKEv1
-
-- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface.
-
-- Uses certificates for the authentication mechanism
-
-You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
-
-**In this document**
-
-- [Prerequisites](#prerequisites)
-
-- [Devices joined to a domain](#devices-joined-to-a-domain)
-
-- [Device not joined to a domain](#devices-not-joined-to-a-domain)
-
-- [Troubleshooting](#troubleshooting)
-
->**Note:** This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](/previous-versions//bb648607(v=vs.85)).
-
-## Prerequisites
-
-These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication.
-
-## Devices joined to a domain
-
-The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
-
-
-
-**Figure 1** The Contoso corporate network
-
-This script does the following:
-
-- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members.
-
-- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain.
-
-- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**.
-
-- Indicates the certificate to use for authentication.
-
- >**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-
-- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
-
-**Windows PowerShell commands**
-
-Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
-
-```powershell
-# Create a Security Group for the computers that will get the policy
-$pathname = (Get-ADDomain).distinguishedname
-New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" `
--GroupCategory security -GroupScope Global -path $pathname
-
-# Add test computers to the Security Group
-$computer = Get-ADComputer -LDAPFilter "(name=client1)"
-Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
-$computer = Get-ADComputer -LDAPFilter "(name=server1)"
-Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
-
-# Create and link the GPO to the domain
-$gpo = New-gpo IPsecRequireInRequestOut
-$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes
-
-# Set permissions to security group for the GPO
-$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace
-$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace
-
-#Set up the certificate for authentication
-$gponame = "corp.contoso.com\IPsecRequireInRequestOut"
-$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
-$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame
-
-#Create the IKEv2 Connection Security rule
-New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
--InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame
-```
-
-## Devices not joined to a domain
-
-Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection.
-
->**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-
-**Windows PowerShell commands**
-
-Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
-
-```powershell
-#Set up the certificate
-$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
-$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop
-
-#Create the IKEv2 Connection Security rule
-New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
--InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2
-```
-
-Make sure that you install the required certificates on the participating computers.
-
-> **Note:**
-> - For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
-> - You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
-> - For remote devices, you can create a secure website to facilitate access to the script and certificates.
-
-## Troubleshooting
-
-Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
-
-**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
-
-1. Open the Windows Defender Firewall with Advanced Security console.
-
-2. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
-
-3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
-
-**Use Windows PowerShell cmdlets to display the security associations.**
-
-1. Open a Windows PowerShell command prompt.
-
-2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations.
-
-3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations.
-
-**Use netsh to capture IPsec events.**
-
-1. Open an elevated command prompt.
-
-2. At the command prompt, type **netsh wfp capture start**.
-
-3. Reproduce the error event so that it can be captured.
-
-4. At the command prompt, type **netsh wfp capture stop**.
-
- A wfpdiag.cab file is created in the current folder.
-
-5. Open the cab file, and then extract the wfpdiag.xml file.
-
-6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
-
- ```xml
-
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
-| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
-| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
-| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
-| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The extra protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
-| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.|
-| Unsolicited network traffic | Network traffic that isn't a response to an earlier request, and that the receiving device can't necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
-| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This term zone isn't related to the one used by Domain Name System (DNS). |
-
-**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
deleted file mode 100644
index af1b573655..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Windows Defender Firewall with Advanced Security
-description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier3
- - must-keep
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Windows Defender Firewall with Advanced Security
-
-
-This topic is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
-
-## Overview of Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't be authenticated as a trusted device can't communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-
-The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
-[!INCLUDE [windows-firewall](../../../../../includes/licensing/windows-firewall.md)]
-
-## Feature description
-
-Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network's isolation strategy.
-
-## Practical applications
-
-
-To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
-
-- **Reduces the risk of network security threats.** Windows Defender Firewall reduces the attack surface of a device, providing an extra layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
-
-- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
-
-- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
-
diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index b1bfa3ebb1..3daa0cbf86 100644
--- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -4,7 +4,6 @@ description: This article describes how Windows security features help protect y
ms.topic: conceptual
ms.date: 08/11/2023
ms.collection:
- - highpri
- tier1
---
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
index 0282a7bcb2..6f077f8f37 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -11,7 +11,7 @@ ms.topic: article
The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
- [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
You can also choose to hide the section from users of the device, if you don't want your employees to access or view user-configured options for these features.
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 713b98447c..310a26dc87 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -7,7 +7,7 @@ ms.topic: article
# Firewall and network protection
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 1970d566b4..a316bca4b5 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -3,9 +3,6 @@ title: Windows Security
description: Windows Security brings together common Windows security features into one place.
ms.date: 08/11/2023
ms.topic: article
-ms.collection:
- - highpri
- - tier2
---
# Windows Security
@@ -73,7 +70,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/index.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index 38961897cb..ff13a406b5 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 09/25/2023
+ms.date: 11/02/2023
ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
@@ -19,7 +19,7 @@ If a user signs into Windows using a password, Enhanced Phishing Protection work
- If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.
> [!NOTE]
-> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
+> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/).
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
@@ -37,43 +37,51 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
## Configure Enhanced Phishing Protection for your organization
-Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP.
+
+| Setting | Description |
+|--|--|
+| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence |
+| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
+
+| Setting | Default Value | Recommendation |
+|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.
**Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
+| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
-|Settings catalog element|Recommendation|
-|---------|---------|
-|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+| Settings catalog element | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-|Group Policy setting|Recommendation|
-|---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+| Group Policy setting | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
-|MDM setting|Recommendation|
-|---------|---------|
-|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
-
+| MDM setting | Recommended value |
+|-------------------------|-------------------|
+| AutomaticDataCollection | **1** |
+| ServiceEnabled | **1** |
+| NotifyMalicious | **1** |
+| NotifyPasswordReuse | **1** |
+| NotifyUnsafeApp | **1** |
---
@@ -121,7 +148,4 @@ To better help you protect your organization, we recommend turning on and using
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
-
[MEM-2]: /mem/intune/configuration/settings-catalog
-
-
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index 9b52d9fb84..b5af241045 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -2,11 +2,7 @@
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.date: 08/11/2023
-ms.topic: article
-ms.localizationpriority: high
-ms.collection:
- - tier2
- - highpri
+ms.topic: conceptual
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index 1cb3c7c91f..295dd13ce0 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -1,18 +1,10 @@
---
title: Federal Information Processing Standard (FIPS) 140 Validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.prod: windows-client
-ms.date: 08/18/2023
-manager: aaroncz
+ms.date: 11/13/2023
+ms.topic: reference
ms.author: paoloma
author: paolomatarazzo
-ms.collection:
- - highpri
- - tier3
-ms.topic: reference
-ms.localizationpriority: medium
-ms.reviewer:
-ms.technology: itpro-security
---
# FIPS 140-2 Validation
@@ -21,7 +13,7 @@ ms.technology: itpro-security
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
-The [Cryptographic Module Validation Program (CMVP)][HTTP-1]) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+The [Cryptographic Module Validation Program (CMVP)][HTTP-1] is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
## Microsoft's approach to FIPS 140-2 validation
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index 0f426874c2..adfc44645c 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -1,17 +1,13 @@
---
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: windows-client
ms.author: sushmanemali
author: s4sush
-manager: aaroncz
ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 11/4/2022
+ms.date: 11/22/2023
ms.reviewer: paoloma
-ms.technology: itpro-security
ms.collection:
- - tier3
+- tier3
---
# Common Criteria certifications
@@ -34,7 +30,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf)
- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf)
-
+
### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
@@ -105,7 +101,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- [Administrative Guide](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
-- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1607, Windows Server 2016
@@ -149,9 +145,9 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- [Administrative Guide](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
-- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
-### Windows 10, version 1607, Windows Server 2016
+### Windows 10, version 1607, Windows Server 2016 (VPN)
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@@ -273,7 +269,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
-- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
+- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
### Windows Server 2003 Certificate Server
diff --git a/windows/security/security-foundations/msft-security-dev-lifecycle.md b/windows/security/security-foundations/msft-security-dev-lifecycle.md
deleted file mode 100644
index 99fc260eb9..0000000000
--- a/windows/security/security-foundations/msft-security-dev-lifecycle.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Microsoft Security Development Lifecycle
-description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development.
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 07/31/2023
----
-
-# Microsoft Security Development Lifecycle
-
-The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
-
-[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl)
-
-With the help of the combination of a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.
-
-The Microsoft SDL is based on three core concepts:
-
-- Education
-- Continuous process improvement
-- Accountability
-
-To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl).
-
-And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://www.microsoft.com/download/details.aspx?id=12379).
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
index 0741c7a555..7fc4c3adff 100644
--- a/windows/security/security-foundations/toc.yml
+++ b/windows/security/security-foundations/toc.yml
@@ -5,11 +5,11 @@ items:
href: zero-trust-windows-device-health.md
- name: Offensive research
items:
- - name: Microsoft Security Development Lifecycle
- href: msft-security-dev-lifecycle.md
+ - name: Microsoft Security Development Lifecycle 🔗
+ href: /compliance/assurance/assurance-microsoft-security-development-lifecycle
- name: OneFuzz service
href: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
- - name: Microsoft Windows Insider Preview bounty program 🔗
+ - name: Microsoft Windows Insider Preview bounty program
href: https://www.microsoft.com/msrc/bounty-windows-insider-preview
- name: Certification
href: certification/toc.yml
\ No newline at end of file
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
index f80e2bf591..2f5a418bc1 100644
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@@ -1,7 +1,7 @@
---
title: Zero Trust and Windows device health
description: Describes the process of Windows device health attestation
-ms.topic: conceptual
+ms.topic: concept-article
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 3648c69063..eaa7ed73d3 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Advanced security audit policy settings
+title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.author: vinpa
@@ -10,7 +10,7 @@ ms.pagetype: security
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ The security audit policy settings under **Security Settings\\Advanced Audit Pol
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
- - every file and folder
+ - every file and folder
- registry key on a computer
- file share.
@@ -34,7 +34,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
- That are of little or no concern to you
-- That create an excessive number of log entries.
+- That create an excessive number of log entries.
In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
@@ -63,7 +63,7 @@ The security audit policy settings in this category can be used to monitor chang
Detailed Tracking security policy settings and audit events can be used for the following purposes:
- To monitor the activities of individual applications and users on that computer
-- To understand how a computer is being used.
+- To understand how a computer is being used.
This category includes the following subcategories:
@@ -161,12 +161,12 @@ Global Object Access Auditing policy settings allow administrators to define com
Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
-- Setting the Global Object Access Auditing policy to log all the activities for a specific user
+- Setting the Global Object Access Auditing policy to log all the activities for a specific user
- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
-
+
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index b6bf8dec61..1aed416fd1 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policies
-description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
+title: Advanced security audit policies
+description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,21 +12,21 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/6/2021
ms.technology: itpro-security
---
# Advanced security audit policies
-Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
-When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
+Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
+When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
-| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
+| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index c613a28ed2..d8dcb28e30 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -1,8 +1,8 @@
---
-title: Apply a basic audit policy on a file or folder
+title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -40,18 +40,18 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
-
+
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
-
+
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- - **Subfolders only**
+ - **Subfolders only**
- **Files only**
-
+
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
@@ -60,8 +60,8 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- **Full control**
- **Modify**
- **Write**
-
-> [!IMPORTANT]
+
+> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## More considerations
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index fd97b2de5e..1b9208a8d5 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -1,5 +1,5 @@
---
-title: Audit Token Right Adjusted
+title: Audit Token Right Adjusted
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
manager: aaroncz
author: vinaypamnani-msft
@@ -8,13 +8,13 @@ ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: reference
---
# Audit Token Right Adjusted
-Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
+Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 7773933079..017fb5ec82 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit account logon events
+title: Audit account logon events
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -45,9 +45,9 @@ You can configure this security setting by opening the appropriate policy under
| 681 | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 9a6340c3a8..e3e8fa199c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -1,8 +1,8 @@
---
-title: Audit account management
+title: Audit account management
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Examples of account management events include:
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 6da1a9c54e..82647ef71b 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -1,8 +1,8 @@
---
-title: Basic audit directory service access
+title: Basic audit directory service access
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ By default, this value is set to no auditing in the Default Domain Controller Gr
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
> **Note:** You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
-
+
**Default:**
- Success on domain controllers.
@@ -41,9 +41,9 @@ There is only one directory service access event, which is identical to the Obje
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 523fee4769..4b5e68258f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit logon events
+title: Audit logon events
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -41,11 +41,11 @@ You can configure this security setting by opening the appropriate policy under
| - | - |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
-| 4634 | The logoff process was completed for a user. |
+| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
-
+
When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type.
@@ -60,9 +60,9 @@ When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also li
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index c9e7094492..66a2833e20 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,8 +1,8 @@
---
-title: Audit object access
+title: Audit object access
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index bd7e9a9b7e..4db162688d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -1,8 +1,8 @@
---
-title: Audit policy change
+title: Audit policy change
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,30 +37,30 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Policy change events | Description |
| - | - |
-| 608 | A user right was assigned.|
+| 608 | A user right was assigned.|
| 609 | A user right was removed. |
-| 610 | A trust relationship with another domain was created.|
-| 611 | A trust relationship with another domain was removed.|
-| 612 | An audit policy was changed.|
-| 613 | An Internet Protocol security (IPSec) policy agent started.|
+| 610 | A trust relationship with another domain was created.|
+| 611 | A trust relationship with another domain was removed.|
+| 612 | An audit policy was changed.|
+| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
-| 616 | An IPSec policy agent encountered a potentially serious failure.|
+| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
-| 618 | Encrypted Data Recovery policy changed.|
-| 620 | A trust relationship with another domain was modified.|
+| 618 | Encrypted Data Recovery policy changed.|
+| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
-| 622 | System access was removed from an account.|
-| 623 | Per user auditing policy was set for a user.|
+| 622 | System access was removed from an account.|
+| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.
**Note** When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 770 | Trusted forest information was deleted.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 771 | Trusted forest information was modified.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
-| 805 | The event log service read the security log configuration for a session.
-
+| 805 | The event log service read the security log configuration for a session.
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 1382bf0fcb..11a05ab720 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -1,8 +1,8 @@
---
-title: Audit privilege use
+title: Audit privilege use
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -46,10 +46,10 @@ You can configure this security setting under Computer Configuration\\Windows Se
| - | - |
| 576 | Specified privileges were added to a user's access token.
**Note:** This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
-| 578 | Privileges were used on an already open handle to a protected object. |
-
+| 578 | Privileges were used on an already open handle to a protected object. |
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index b7eb7ea1fd..796e7f323f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -1,8 +1,8 @@
---
-title: Audit process tracking
+title: Audit process tracking
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,20 +34,20 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Process tracking events | Description |
| - | - |
-| 592 | A new process was created.|
+| 592 | A new process was created.|
| 593 | A process exited. |
-| 594 | A handle to an object was duplicated.|
-| 595 | Indirect access to an object was obtained.|
+| 594 | A handle to an object was duplicated.|
+| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.
**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
-| 597 | A data protection master key was recovered from a recovery server.|
+| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
-| 599 | Auditable data was unprotected.|
-| 600 | A process was assigned a primary token.|
+| 599 | Auditable data was unprotected.|
+| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 0af90ae965..c3a231e65c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -1,8 +1,8 @@
---
-title: Audit system events
+title: Audit system events
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,14 +37,14 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
-| 512 | Windows is starting up. |
+| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
-| 514 | An authentication package was loaded by the Local Security Authority.|
-| 515 | A trusted logon process has registered with the Local Security Authority.|
-| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
+| 514 | An authentication package was loaded by the Local Security Authority.|
+| 515 | A trusted logon process has registered with the Local Security Authority.|
+| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
-| 518 | A notification package was loaded by the Security Accounts Manager.|
-| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
+| 518 | A notification package was loaded by the Security Accounts Manager.|
+| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.
**Note:** This audit normally appears twice.|
## Related topics
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 95d4e51fe0..93ea3850e5 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policies
+title: Basic security audit policies
description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,15 +34,15 @@ The event categories that you can choose to audit are:
- Audit process tracking
- Audit system events
-If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
+If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
-| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. |
-| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
+| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. |
+| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 9c9d050b55..70b4c9c798 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policy settings
+title: Basic security audit policy settings
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,18 +26,18 @@ Basic security audit policy settings are found under Computer Configuration\\Win
| Topic | Description |
| - | - |
-| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
-| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
-| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
+| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
+| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
+| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
-| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
+| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
-| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
+| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
-
+
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 9a49d95bbe..90f66f7720 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -1,8 +1,8 @@
---
-title: Create a basic audit policy for an event category
+title: Create a basic audit policy for an event category
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/07/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 726f71bbbd..5ca11d5d60 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -166,83 +166,9 @@ Typically, **Primary Group** field for new user accounts has the following value
> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-For new, manually created, domain or local user accounts typical flags are:
-
-- Account Disabled
-
-- 'Password Not Required' - Enabled
-
-- 'Normal Account' – Enabled
-
- After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags:
-
-- 'Password Not Required' – Disabled
-
-- Account Enabled
-
-
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 61cd4e80e6..be3bf1a1e5 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -192,39 +192,9 @@ Typical **Primary Group** values for user accounts:
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
-
-To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index a245d7e5ce..e26b0c96b3 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -170,69 +170,9 @@ Typically, **Primary Group** field for new computer accounts has the following v
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|---|---|---|---|---|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-> Table 7. User’s or Computer’s account UAC flags.
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `
Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2
Lab Assistants: Write only on MedRec-2
Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1
Public: Read only on Web-Ext-1| Low| Public education and corporate image|
-
+
### Users
Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
@@ -140,7 +140,7 @@ The following table illustrates an analysis of users on a network. Our example c
| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
-
+
### Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
@@ -151,14 +151,14 @@ Security and auditing requirements and audit event volume can vary considerably
> [!NOTE]
> For more information about auditing:
> - In Exchange Server, see [Exchange 2010 Security Guide](/previous-versions/office/exchange-server-2010/bb691338(v=exchg.141)).
- > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
+ > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).
-
+
- The operating system versions
> [!NOTE]
> The operating system version determines which auditing options are available and the volume of audit event data.
-
+
- The business value of the data
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
@@ -171,7 +171,7 @@ The following table illustrates an analysis of computers in an organization.
| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
| Web servers | Windows Server 2008 R2 | WebSrv OU|
-
+
### Regulatory requirements
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries/regions have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
@@ -199,7 +199,7 @@ By using Group Policy, you can apply your security audit policy to defined group
> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-
+
The following examples show how you can apply audit policies to an organization's OU structure:
@@ -210,8 +210,8 @@ The following examples show how you can apply audit policies to an organization'
## Map your security auditing goals to a security audit policy configuration
After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
-- Computers that need to be monitored
-- Activities that you want to audit
+- Computers that need to be monitored
+- Activities that you want to audit
- Audit events that your audit configuration will generate
- Administrators available to analyze and act upon audit data
@@ -230,7 +230,7 @@ You can view and configure security audit policy settings in the supported versi
- *Security Settings\\Local Policies\\Audit Policy*
- *Security Settings\\Local Policies\\Security Options*
- *Security Settings\\Advanced Audit Policy Configuration*
-
+
For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Choose audit settings to use
@@ -255,16 +255,16 @@ Compromise to an organization's data resources can cause tremendous financial lo
> [!NOTE]
> To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
-
+
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
-
+
- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
> [!IMPORTANT]
> The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
-
+
### User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
@@ -279,7 +279,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!NOTE]
> There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
-
+
- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
@@ -288,7 +288,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!IMPORTANT]
> On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
-
+
- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
@@ -301,7 +301,7 @@ The following network activity policy settings enable you to monitor security-re
>[!NOTE]
>**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
-
+
- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index ac19f5355d..b82b7aa8de 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -1,8 +1,8 @@
---
-title: Registry (Global Object Access Auditing)
+title: Registry (Global Object Access Auditing)
description: The Advanced Security Audit policy setting, Registry (Global Object Access Auditing), enables you to configure a global system access control list (SACL).
ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index da20ec1bb0..a4e0800569 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -1,8 +1,8 @@
---
-title: Security auditing
+title: Security auditing
description: Learn about security auditing features in Windows, and how your organization can benefit from using them to make your network more secure and easily managed.
ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 0d0c6e1fb7..076763b3d8 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -1,8 +1,8 @@
---
-title: Using advanced security auditing options to monitor dynamic access control objects
+title: Using advanced security auditing options to monitor dynamic access control objects
description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -40,9 +40,9 @@ Domain administrators can create and deploy expression-based security audit poli
| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.|
-
+
>**Important:** This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
-
+
## Related topics
- [Security auditing](security-auditing-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 25265ee877..88b1438852 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -1,8 +1,8 @@
---
-title: View the security event log
+title: View the security event log
description: The security log records each event as defined by the audit policies you set on each object.
ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index ef99d2c066..2ede0f5748 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -1,8 +1,8 @@
---
-title: Which editions of Windows support advanced audit policy configuration
+title: Which editions of Windows support advanced audit policy configuration
description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -20,7 +20,7 @@ ms.technology: itpro-security
# Which editions of Windows support advanced audit policy configuration
-Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
-There's no difference in security auditing support between 32-bit and 64-bit versions.
-Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
+Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
+There's no difference in security auditing support between 32-bit and 64-bit versions.
+Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index ffc754aaf6..aafae23e17 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -26,7 +26,7 @@ See the following articles to learn more about the different areas of Windows th
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
-- [Windows Firewall](../operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md)
+- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
## Next-generation protection
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
deleted file mode 100644
index 682b246cfa..0000000000
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Override Process Mitigation Options
-description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
-ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.localizationpriority: medium
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
-
-
-# Override Process Mitigation Options to help enforce app-related security policies
-
-**Applies to:**
-
-- Windows 10, version 1607
-- Windows Server 2016
-
-Windows 10 includes Group Policy-configurable "Process Mitigation Options" that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
-
-> [!IMPORTANT]
-> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps.
-
-The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are:
-
-- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
-
-- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
-
-- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
- To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`.
-
-The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
-
-**To modify Process Mitigation Options**
-
-1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
-
- 
-
-2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
-
- **Important**
For each app you want to include, you must include:
-
- - **Value name.** The app file name, including the extension. For example, iexplore.exe.
- - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
-
- **Note**
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
-
- 
-
-## Setting the bit field
-Here's a visual representation of the bit flag locations for the various Process Mitigation Options settings:
-
-
-
-Where the bit flags are read from right to left and are defined as:
-
-|Flag |Bit location |Setting |Details |
-|-----|--------------|--------|--------|
-|A |0 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` |Turns on Data Execution Prevention (DEP) for child processes. |
-|B |1 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
-|C |2 |`PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
-|D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. |
-|E |15 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
-|F |16 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
-
-## Example
-If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you'd want to type a value of `???????????????0???????1???????1`.
-
-
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index dc6bf37ae5..81f50b4fda 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -1,8 +1,8 @@
---
-title: Access Credential Manager as a trusted caller
+title: Access Credential Manager as a trusted caller
description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller.
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table shows the default value for the server type or Group Policy
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,4 +93,4 @@ None. Not defined is the default configuration.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index b5ace4fc62..f8a0e483fd 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Access this computer from the network - security policy setting
+title: Access this computer from the network - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/11/2021
ms.technology: itpro-security
---
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values for the
| Domain controller effective default settings | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
| Member server effective default settings | Everyone, Administrators, Users, Backup Operators |
| Client computer effective default settings |Everyone, Administrators, Users, Backup Operators |
-
+
## Policy management
When you modify this user right, the following actions might cause users and services to experience network access issues:
@@ -103,11 +103,11 @@ Users who can connect from their device to the network can access resources on t
### Countermeasure
-Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
+Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
> **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
-
+
### Potential impact
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network.
@@ -116,5 +116,5 @@ If running Windows Server or Azure Stack HCI Failover Clustering, don't remove A
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 89634c3e27..ab6ba1901c 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -1,8 +1,8 @@
---
-title: Account lockout duration
+title: Account lockout duration
description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/16/2021
ms.technology: itpro-security
---
@@ -40,7 +40,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
-It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
+It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
### Location
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not applicable |
-
+
## Security considerations
More than a few unsuccessful password submissions during an attempt to sign in to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track sign-in attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
@@ -78,5 +78,5 @@ Configuring the **Account lockout duration** policy setting to 0 so that account
## Related topics
[Account Lockout Policy](account-lockout-policy.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index fe39bbcede..1872b25b41 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -1,8 +1,8 @@
---
-title: Account Lockout Policy
+title: Account Lockout Policy
description: Describes the Account Lockout Policy settings and links to information about each policy setting.
ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/11/2018
ms.technology: itpro-security
---
@@ -41,9 +41,9 @@ The following topics provide a discussion of each policy setting's implementatio
| [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
| [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index a735631952..2bae54f4e2 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Account lockout threshold
+title: Account lockout threshold
description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -52,7 +52,7 @@ The threshold that you select is a balance between operational efficiency and se
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | 0 invalid sign-in attempts |
| Member server effective default settings |0 invalid sign-in attempts |
| Effective GPO default settings on client computers |0 invalid sign-in attempts |
-
+
### Policy management
This section describes features and tools that are available to help you manage this policy setting.
@@ -88,7 +88,7 @@ Implementation of this policy setting depends on your operational environment. C
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
-For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
## Security considerations
@@ -105,7 +105,7 @@ However, a DoS attack could be performed on a domain that has an account lockout
> [!NOTE]
> Offline password attacks are not countered by this policy setting.
-
+
### Countermeasure
Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
@@ -114,11 +114,11 @@ Because vulnerabilities can exist when this value is configured and when it's no
- The password policy setting requires all users to have complex passwords of eight or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
-
+
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
-
+
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index a3fdbe5a3f..4504d333df 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -1,8 +1,8 @@
---
-title: Account Policies
+title: Account Policies
description: An overview of account policies in Windows and provides links to policy descriptions.
ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ An overview of account policies in Windows and provides links to policy descript
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
> [!NOTE]
> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
-
+
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply.
## In this section
@@ -38,7 +38,7 @@ The only exception is when another account policy is defined for an organization
| [Password Policy](password-policy.md) | An overview of password policies for Windows and links to information for each policy setting. |
| [Account Lockout Policy](account-lockout-policy.md) | Describes the Account Lockout Policy settings and links to information about each policy setting. |
| [Kerberos Policy](kerberos-policy.md) | Describes the Kerberos Policy settings and provides links to policy setting descriptions. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 23e43f6d45..179f5ba556 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Administrator account status
+title: Accounts Administrator account status
description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
@@ -87,7 +87,7 @@ When you start a device in safe mode, the disabled administrator account is enab
### How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
-- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
+- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index ab6175a99f..1ac6245b9b 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -1,8 +1,8 @@
---
-title: Accounts Block Microsoft accounts
+title: Accounts Block Microsoft accounts
description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/10/2017
ms.technology: itpro-security
---
@@ -67,7 +67,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -95,4 +95,4 @@ Establishing greater control over accounts in your organization can give you mor
## Related topics
[Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index ca1a50819a..6c768ad6d6 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Guest account status - security policy setting
+title: Accounts Guest account status - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -76,5 +76,5 @@ All network users must be authenticated before they can access shared resources.
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 05b4e8f3ea..947a4c0f6f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -1,8 +1,8 @@
---
-title: Accounts Limit local account use of blank passwords
+title: Accounts Limit local account use of blank passwords
description: Learn best practices, security considerations, and more for the policy setting, Accounts Limit local account use of blank passwords to console logon only.
ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Enabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index 0e9b3c3257..44905ab096 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename administrator account
+title: Accounts Rename administrator account
description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Administrator |
| Member Server Effective Default Settings | Administrator |
| Client Computer Effective Default Settings | Administrator |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,5 +93,5 @@ You must provide users who are authorized to use this account with the new accou
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index da35071790..d034cdf835 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename guest account - security policy setting
+title: Accounts Rename guest account - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | *User-defined text* |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
+The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
or install software that could be used for a later attack on your system.
### Countermeasure
@@ -92,5 +92,5 @@ There should be little impact because the Guest account is disabled by default i
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index d8915c4e18..1bdbf787f1 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -1,8 +1,8 @@
---
-title: Act as part of the operating system
+title: Act as part of the operating system
description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -21,7 +21,7 @@ ms.technology: itpro-security
**Applies to**
- Windows 11
-- Windows 10
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
@@ -51,11 +51,11 @@ The following table lists the actual and effective default policy values for the
| - | - |
| Default domain policy | Not defined |
| Default domain controller policy| Not defined |
-| Stand-alone server default settings | Not defined |
+| Stand-alone server default settings | Not defined |
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -90,4 +90,4 @@ There should be little or no impact because the **Act as part of the operating s
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index 139d15f4ec..fb594e8748 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -1,13 +1,13 @@
---
title: Add workstations to domain
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -81,7 +81,7 @@ This policy has the following security considerations:
### Vulnerability
-The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
+The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 5ec3171725..5c9b499b8b 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -1,8 +1,8 @@
---
-title: Adjust memory quotas for a process
+title: Adjust memory quotas for a process
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,7 +53,7 @@ By default, members of the Administrators, Local Service, and Network Service gr
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Administrators
Local Service
Network Service |
| Default Domain Controller Policy | Administrators
Local Service
Network Service |
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service |
| Member Server Effective Default Settings | Administrators
Local Service
Network Service |
| Client Computer Effective Default Settings | Administrators
Local Service
Network Service |
-
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
@@ -97,5 +97,5 @@ Organizations that have not restricted users to roles with limited privileges ma
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index bca371957d..3a11417c5b 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Administer security policy settings
+title: Administer security policy settings
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
ms.assetid: 7617d885-9d28-437a-9371-171197407599
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -250,7 +250,7 @@ For example, a workstation that is joined to a domain will have its local securi
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> [!NOTE]
-> Use gpresult.exe to find out what policies are applied to a device and in what order.
+> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
**Persistence in security settings**
@@ -300,10 +300,10 @@ To avoid continued flagging of settings that you've investigated and determined
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
-- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
-- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
-Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
-You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
+- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
+- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
+Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
In general, don't use **Configure Computer Now** when you're analyzing security for domain-based clients, since you'll have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### Automating security configuration tasks
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 5c246fea41..ec8dd1980d 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index aa212b8064..b76363e1b5 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Allow log on through Remote Desktop Services
+title: Allow log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting. Allow a sign-in through Remote Desktop Services.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,11 +55,11 @@ The following table lists the actual and effective default policy values. Defaul
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Not Defined |
| Domain Controller Local Security Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
-| Domain Controller Effective Default Settings | Administrators |
+| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
+| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators
Remote Desktop Users |
| Client Computer Effective Default Settings | Administrators
Remote Desktop Users |
-
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -96,7 +96,7 @@ Any account with the **Allow log on through Remote Desktop Services** user right
For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
> **Caution:** For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
-
+
Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
### Potential impact
@@ -106,5 +106,5 @@ Removal of the **Allow log on through Remote Desktop Services** user right from
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 5957adf4ab..25ef7bc3d6 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -1,8 +1,8 @@
---
-title: Audit the access of global system objects
+title: Audit the access of global system objects
description: Describes the best practices, location, values, and security considerations for the audit of the access to global system objects security policy setting.
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -86,22 +86,22 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| Event ID | Event message |
| - | - |
-| 4659 | A handle to an object was requested with intent to delete. |
-| 4660 | An object was deleted. |
-| 4661 | A handle to an object was requested. |
-| 4663 | An attempt was made to access an object. |
-
+| 4659 | A handle to an object was requested with intent to delete. |
+| 4660 | An object was deleted. |
+| 4661 | A handle to an object was requested. |
+| 4663 | An attempt was made to access an object. |
+
If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
-| 560 | Access was granted to an already existing object. |
-| 562 | A handle to an object was closed. |
+| 560 | Access was granted to an already existing object. |
+| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
-| 565 | Access was granted to an already existing object type. |
+| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
-| 569 | The resource manager in Authorization Manager attempted to create a client context. |
+| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 7d38765755..011e035679 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -2,7 +2,7 @@
title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)"
description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting."
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/01/2019
ms.technology: itpro-security
---
@@ -51,11 +51,11 @@ The following table lists the actual and effective default values for this polic
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -92,4 +92,4 @@ If you enable this policy setting, a large number of security events could be ge
## Related topics
- [Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 5caf39e495..663cfb1d30 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -1,8 +1,8 @@
---
-title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
+title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
description: Learn more about the security policy setting, Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
-| Member Server Effective Default Settings | Enabled |
-| Client Computer Effective Default Settings | Enabled |
-
+| Member Server Effective Default Settings | Enabled |
+| Client Computer Effective Default Settings | Enabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,12 +93,12 @@ Enable audit policy subcategories as needed to track specific events.
### Potential impacts
-If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
+If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
**SCENoApplyLegacyAuditPolicy** key.
> **Important:** Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
-
+
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
index a542276f2e..bf27ff18aa 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md
@@ -1,8 +1,8 @@
---
-title: Audit Policy
+title: Audit Policy
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 61bd4aecfc..da06353caf 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Audit Shut down system immediately if unable to log security audits
+title: Audit Shut down system immediately if unable to log security audits
description: Best practices, security considerations, and more for the security policy setting, Audit Shut down system immediately if unable to log security audits.
ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined
-| Default Domain Controller Policy | Not defined
-| Stand-Alone Server Default Settings | Disabled
-| DC Effective Default Settings | Disabled
-| Member Server Effective Default Settings | Disabled
-| Client Computer Effective Default Settings | Disabled
-
+| Default Domain Policy | Not defined
+| Default Domain Controller Policy | Not defined
+| Stand-Alone Server Default Settings | Disabled
+| DC Effective Default Settings | Disabled
+| Member Server Effective Default Settings | Disabled
+| Client Computer Effective Default Settings | Disabled
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -96,5 +96,5 @@ If you enable this policy setting, the administrative burden can be significant,
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 40d4bdfda2..3bd99b5590 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Back up files and directories - security policy setting
+title: Back up files and directories - security policy setting
description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -78,7 +78,7 @@ The following table lists the actual and effective default policy values for the
| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
| Member Server Effective Default Settings | Administrators
Backup Operators|
| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -115,5 +115,5 @@ Changes in the membership of the groups that have the user right to back up file
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 6f06c8e9a2..f4a8745518 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -1,8 +1,8 @@
---
-title: Bypass traverse checking
+title: Bypass traverse checking
description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
-| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-
+| Default Domain Policy| Not Defined |
+| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+
## Policy management
Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs). The ability to traverse the folder doesn't provide any Read or Write permissions to the user.
@@ -98,4 +98,4 @@ The Windows operating systems and many applications were designed with the expec
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index e09a09a6bb..d985a6eaf9 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -1,8 +1,8 @@
---
-title: Change the system time - security policy setting
+title: Change the system time - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
+| Default Domain Policy| Not Defined |
| Default Domain Controller Policy | Administrators
Server Operators
Local Service|
| Stand-Alone Server Default Settings | Administrators
Local Service|
-| DC Effective Default Settings | Administrators
Server Operators
Local Service|
+| DC Effective Default Settings | Administrators
Server Operators
Local Service|
| Member Server Effective Default Settings | Administrators
Local Service|
-| Client Computer Effective Default Settings | Administrators
Local Service|
-
+| Client Computer Effective Default Settings | Administrators
Local Service|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index dffd58d25b..3ac7b50a9c 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -1,8 +1,8 @@
---
-title: Change the time zone - security policy setting
+title: Change the time zone - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined|
-| Default Domain Controller Policy | Administrators
Users|
-| Stand-Alone Server Default Settings | Administrators
Users|
-| Domain Controller Effective Default Settings | Administrators
Users|
-| Member Server Effective Default Settings | Administrators
Users|
-| Client Computer Effective Default Settings | Administrators
Users|
-
+| Default Domain Policy| Not Defined|
+| Default Domain Controller Policy | Administrators
Users|
+| Stand-Alone Server Default Settings | Administrators
Users|
+| Domain Controller Effective Default Settings | Administrators
Users|
+| Member Server Effective Default Settings | Administrators
Users|
+| Client Computer Effective Default Settings | Administrators
Users|
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 0a179de698..a28a19a33f 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Create a pagefile - security policy setting
+title: Create a pagefile - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Administrators |
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Administrators |
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index 90c8d547a4..6c50cc0ce0 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -1,8 +1,8 @@
---
-title: Create a token object
+title: Create a token object
description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting.
ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined |
-| Domain Controller Effective Default Settings | Local System |
-| Member Server Effective Default Settings | Local System |
-| Client Computer Effective Default Settings | Local System |
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined |
+| Domain Controller Effective Default Settings | Local System |
+| Member Server Effective Default Settings | Local System |
+| Client Computer Effective Default Settings | Local System |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
>**Caution:** A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
-
+
Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users sign in to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they're currently logged on. They could escalate their privileges or create a DoS condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index 748588c0e1..18fb5d25ad 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -1,8 +1,8 @@
---
-title: Create global objects
+title: Create global objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting.
ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
A restart of the device isn't required for this policy setting to take effect.
@@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
-By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
+By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index 29994f1b96..e5d58fc80d 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -1,8 +1,8 @@
---
-title: Create permanent shared objects
+title: Create permanent shared objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting.
ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | **LocalSystem**|
-| Member Server Effective Default Settings | **LocalSystem**|
-| Client Computer Effective Default Settings | **LocalSystem**|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | **LocalSystem**|
+| Member Server Effective Default Settings | **LocalSystem**|
+| Client Computer Effective Default Settings | **LocalSystem**|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index e728e58567..970e2ddfd7 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -1,8 +1,8 @@
---
-title: Create symbolic links
+title: Create symbolic links
description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.
ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined|
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined|
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 03d85f19cb..6426a749bf 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Learn about best practices and more for the syntax policy setting, DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL).
ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,12 +55,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value
| - | - |
| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank |
-| Stand-Alone Server Default Settings | Blank |
-| DC Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Controller Policy | Blank |
+| Stand-Alone Server Default Settings | Blank |
+| DC Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -72,7 +72,7 @@ None. Changes to this policy become effective without a computer restart when th
The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This precedence means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users aren't changed. Use care in configuring the list of users and groups.
-If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
+If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This information defines the setting and sets the appropriate SDDL value.
## Security considerations
@@ -96,5 +96,5 @@ Windows implements default COM ACLs when they're installed. Modifying these ACLs
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index d4c07f3415..5accd3bbbc 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Best practices and more for the security policy setting, DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define more computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an extra access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.
-The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
+The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running.
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank|
-| Stand-Alone Server Default Settings |Blank |
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Blank |
+| Default Domain Controller Policy | Blank|
+| Stand-Alone Server Default Settings |Blank |
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index d5058a6e3f..c65db98a6f 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -1,8 +1,8 @@
---
-title: Debug programs
+title: Debug programs
description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
+The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
### Countermeasure
@@ -93,7 +93,7 @@ Remove the accounts of all users and groups that do not require the **Debug prog
### Potential impact
-If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
+If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index b069fd1da1..09c0633dea 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Deny access to this computer from the network
+title: Deny access to this computer from the network
description: Best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/19/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 42bdc8d2a2..c4bc52c008 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a batch job
+title: Deny log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job**
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
-For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
+For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index 8e61df03d2..7bdd2075ca 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a service
+title: Deny log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
ms.assetid: f1114964-df86-4278-9b11-e35c66949794
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
+Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
services, and an attacker who already has that level of access could configure the service to run by using the System account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 8cc1881127..263496c85d 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -1,8 +1,8 @@
---
-title: Deny log on locally
+title: Deny log on locally
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index 6a3f748155..24e896eb79 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Deny log on through Remote Desktop Services
+title: Deny log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Deny log on through Remote Desktop Services.
ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index c0ec06ad12..abbf2b5679 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Devices Allow undock without having to log on
+title: Devices Allow undock without having to log on
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting.
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
>**Note:** Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
-
+
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index c27928a04e..c2b35adf67 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -1,8 +1,8 @@
---
-title: Devices Allowed to format and eject removable media
+title: Devices Allowed to format and eject removable media
description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -73,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
+Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
is pressed diminishes the advantage of this policy setting.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index 40487ac65b..9a909d447c 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -1,8 +1,8 @@
---
-title: Devices Prevent users from installing printer drivers
+title: Devices Prevent users from installing printer drivers
description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/05/2022
ms.technology: itpro-security
---
@@ -44,7 +44,7 @@ Although it might be appropriate in some organizations to allow users to install
- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer.
> [!NOTE]
-> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
+> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
+It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 2f3acd5122..30a9097f46 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Restrict CD-ROM access to locally logged-on user
+title: Restrict CD-ROM access to locally logged-on user
description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
+A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
applications from removable media on the server.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index 511ccc907f..0a4d6c2250 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Devices Restrict floppy access to locally logged-on user only
+title: Devices Restrict floppy access to locally logged-on user only
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 28361156ef..8d5b95d46a 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -1,13 +1,13 @@
---
title: Domain controller Allow server operators to schedule tasks
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -24,7 +24,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines whether server operators can use the **at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that account is the Local System account.
>**Note:** This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
-
+
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
index 24614ad5c4..af6812e273 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/26/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index 39803ce695..0745e54ec3 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -1,13 +1,13 @@
---
title: Domain controller LDAP server signing requirements
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/6
If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
>**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
-
+
### Possible values
- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it.
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | None|
-| Member Server Effective Default Settings | None|
-| Client Computer Effective Default Settings | None|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | None|
+| Member Server Effective Default Settings | None|
+| Client Computer Effective Default Settings | None|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 63d863c555..dcc3e3be66 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -1,13 +1,13 @@
---
title: Refuse machine account password changes policy
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
|---|---|
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Not applicable |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Not applicable |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index d918369b03..820c7facca 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt or sign secure channel data (always)
+title: Domain member Digitally encrypt or sign secure channel data (always)
description: Best practices, location, values, and security considerations for the policy setting, Domain member Digitally encrypt or sign secure channel data (always).
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,7 +49,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Enabled
- The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
+ The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
channel traffic.
- Disabled
@@ -67,7 +67,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
>**Note:** You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -103,7 +103,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
+When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index c277be4b30..0086d01e2c 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt secure channel data (when possible)
+title: Domain member Digitally encrypt secure channel data (when possible)
description: Best practices, security considerations, and more for the security policy setting, Domain member Digitally encrypt secure channel data (when possible).
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -54,7 +54,7 @@ When a device joins a domain, a machine account is created. After the device is
The domain member won't attempt to negotiate secure channel encryption.
>**Note:** If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
-
+
- Not defined
### Best practices
@@ -74,12 +74,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Controller Policy | Enabled|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 302edcac50..cadfa2282e 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally sign secure channel data (when possible)
+title: Domain member Digitally sign secure channel data (when possible)
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Digitally sign secure channel data (when possible).
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -60,7 +60,7 @@ When a device joins a domain, a machine account is created. After the device is
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
>**Note:** You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index 72e15d7783..324f36b008 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -1,8 +1,8 @@
---
-title: Domain member Disable machine account password changes
+title: Domain member Disable machine account password changes
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/27/2019
ms.technology: itpro-security
---
@@ -44,8 +44,8 @@ Verify that the **Domain member: Disable machine account password changes** opti
3. You may want to consider using this policy setting in specific environments, such as the following ones:
- Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
- - Embedded devices that don't have write access to the OS volume.
-
+ - Embedded devices that don't have write access to the OS volume.
+
In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
```
@@ -62,15 +62,15 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Disabled |
-| Default Domain Controller Policy | Disabled|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Disabled |
+| Default Domain Controller Policy | Disabled|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
+By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index aacfa76378..278f2854fa 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -1,8 +1,8 @@
---
-title: Domain member Maximum machine account password age
+title: Domain member Maximum machine account password age
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/29/2020
ms.technology: itpro-security
---
@@ -31,8 +31,8 @@ The **Domain member: Maximum machine account password age** policy setting deter
In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
-> [!IMPORTANT]
-> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+> [!IMPORTANT]
+> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026).
@@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
-We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
+We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 30 days|
-| DC Effective Default Settings | 30 days|
-| Member Server Effective Default Settings|30 days|
-| Client Computer Effective Default Settings | 30 days|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 30 days|
+| DC Effective Default Settings | 30 days|
+| Member Server Effective Default Settings|30 days|
+| Client Computer Effective Default Settings | 30 days|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index d5c4b65fcc..5f03addc62 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -1,8 +1,8 @@
---
-title: Domain member Require strong (Windows 2000 or later) session key
+title: Domain member Require strong (Windows 2000 or later) session key
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Require strong (Windows 2000 or later) session key.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO
+| Server type or GPO
| Default value |
|--------------------------------------------|
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 8f52bd244e..2580f51ed8 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -1,8 +1,8 @@
---
-title: Trust computer and user accounts for delegation
+title: Trust computer and user accounts for delegation
description: Learn about best practices, security considerations and more for the security policy setting, Enable computer and user accounts to be trusted for delegation.
ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
+Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
after a security incident.
### Countermeasure
@@ -102,7 +102,7 @@ after a security incident.
The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
>**Note:** There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
-
+
### Potential impact
None. Not defined is the default configuration.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index 69915eba98..b2b87b7314 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -1,8 +1,8 @@
---
-title: Enforce password history
+title: Enforce password history
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default domain policy | 24 passwords remembered|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | 0 passwords remembered|
-| Domain controller effective default settings | 24 passwords remembered|
-| Member server effective default settings | 24 passwords remembered|
-| Effective GPO default settings on client computers | 24 passwords remembered|
-
+| Default domain policy | 24 passwords remembered|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | 0 passwords remembered|
+| Domain controller effective default settings | 24 passwords remembered|
+| Member server effective default settings | 24 passwords remembered|
+| Effective GPO default settings on client computers | 24 passwords remembered|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -79,7 +79,7 @@ The longer a user uses the same password, the greater the chance that an attacke
If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
>**Note:** After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
-
+
### Countermeasure
Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index a119f6c131..faf39c7570 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -1,8 +1,8 @@
---
-title: Enforce user logon restrictions
+title: Enforce user logon restrictions
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.
ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy | Enabled|
+| Default Domain Policy | Enabled|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings| Not applicable |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index bb10d2ce82..fbf329985c 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -1,8 +1,8 @@
---
-title: Force shutdown from a remote system
+title: Force shutdown from a remote system
description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators
Server Operators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators
Server Operators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 5b8810a11e..9b9ab36731 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Generate security audits
+title: Generate security audits
description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting.
ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Local Service
Network Service|
-| Stand-Alone Server Default Settings | Local Service
Network Service|
-| Domain Controller Effective Default Settings | Local Service
Network Service|
-| Member Server Effective Default Settings | Local Service
Network Service|
-| Client Computer Effective Default Settings | Local Service
Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Local Service
Network Service|
+| Stand-Alone Server Default Settings | Local Service
Network Service|
+| Domain Controller Effective Default Settings | Local Service
Network Service|
+| Member Server Effective Default Settings | Local Service
Network Service|
+| Client Computer Effective Default Settings | Local Service
Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 6dcfe5687d..37573dfb33 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
appliesto:
- ✅ Windows 11
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 698d38e82a..918c634443 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -1,8 +1,8 @@
---
-title: Impersonate a client after authentication
+title: Impersonate a client after authentication
description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting.
ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -65,12 +65,12 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined |
-| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 0d6a6d694f..b383d4e733 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -1,8 +1,8 @@
---
-title: Increase a process working set
+title: Increase a process working set
description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting.
ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,11 +54,11 @@ The following table lists the actual and effective default policy values. Defaul
| - | - |
| Default Domain Policy| Not Defined|
| Default Domain Controller Policy | Users|
-| Stand-Alone Server Default Settings| Users|
-| Domain Controller Effective Default Settings| Users|
-| Member Server Effective Default Settings | Users|
-| Client Computer Effective Default Settings | Users|
-
+| Stand-Alone Server Default Settings| Users|
+| Domain Controller Effective Default Settings| Users|
+| Member Server Effective Default Settings | Users|
+| Client Computer Effective Default Settings | Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 1bcfcdb42e..e0afba5ecc 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -1,8 +1,8 @@
---
-title: Increase scheduling priority
+title: Increase scheduling priority
description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.
ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 2/6/2020
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -82,9 +82,9 @@ Verify that only Administrators and Window Manager\Window Manager Group have the
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.
-> [!Warning]
-> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
->
+> [!Warning]
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
+>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index a1ee602ed9..6b6a223a3c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Display user information when the session is locked
+title: Interactive logon Display user information when the session is locked
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Display user information when the session is locked.
ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -66,7 +66,7 @@ This setting has these possible values:
For a domain sign in only, the domain\username is displayed.
The **Privacy** setting is automatically on and grayed out.
-
+
- **Blank**
Default setting.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 1917c4b70b..6d7880e8fe 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.reviewer:
ms.author: vinpa
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index e4c4d49b0a..a13d25cd15 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Do not require CTRL+ALT+DEL
+title: Interactive logon Do not require CTRL+ALT+DEL
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting.
ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index eadc6514fe..85cca7c7f1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index bc3ee80c44..a9c3a468db 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine account lockout threshold
+title: Interactive logon Machine account lockout threshold
description: Best practices, location, values, management, and security considerations for the security policy setting, Interactive logon Machine account lockout threshold.
ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings| Disabled|
-| DC Effective Default Settings | Disabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings| Disabled|
+| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled|
-
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 40c0bcb254..499c8ea921 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine inactivity limit
+title: Interactive logon Machine inactivity limit
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting.
ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/18/2018
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 7f6a3535a6..9ea2643a8c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive Logon Message text
+title: Interactive Logon Message text
description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index fc861f5e80..f97c4515e8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Message title for users attempting to log on
+title: Interactive logon Message title for users attempting to log on
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 079531c038..60159d1dd5 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
+title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
description: Best practices and more for the security policy setting, Interactive logon Number of previous logons to cache (in case domain controller is not available).
ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/27/2018
ms.technology: itpro-security
---
@@ -39,7 +39,7 @@ The system can't log you on now because the domain *DOMAIN NAME* isn't available
The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session.
-Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
+Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
> [!NOTE]
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
### Best practices
-The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
+The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
### Location
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 10 logons|
-| DC Effective Default Settings | No effect|
-| Member Server Effective Default Settings | 10 logons|
-| Client Computer Effective Default Settings| 10 logons|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 10 logons|
+| DC Effective Default Settings | No effect|
+| Member Server Effective Default Settings | 10 logons|
+| Client Computer Effective Default Settings| 10 logons|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -105,7 +105,7 @@ Configure the **Interactive logon: Number of previous logons to cache (in case d
### Potential impact
-Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
+Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index b63d35d0b2..1c2bd90367 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,8 +1,8 @@
---
-title: Interactive log-on prompt user to change password before expiration
+title: Interactive log-on prompt user to change password before expiration
description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the default values for this policy. Default values are
| Server type or Group Policy Object | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Five days|
-| DC Effective Default Settings | Five days |
+| DC Effective Default Settings | Five days |
| Member Server Effective Default Settings| Five days |
-| Client Computer Effective Default Settings | Five days|
-
+| Client Computer Effective Default Settings | Five days|
+
## Policy management
This section describes features and tools that you can use to manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index c418e7adeb..12c079fced 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Require Domain Controller authentication to unlock workstation
+title: Interactive logon Require Domain Controller authentication to unlock workstation
description: Best practices security considerations, and more for the policy setting, Interactive logon Require Domain Controller authentication to unlock workstation.
ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 8d49c17278..7175af2912 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -4,11 +4,11 @@ description: "Describes the best practices, location, values, policy management,
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.reviewer:
+ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 55213f035f..4ae503eb5d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Smart card removal behavior
+title: Interactive logon Smart card removal behavior
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -67,13 +67,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | No Action|
-| DC Effective Default Settings | No Action|
-| Member Server Effective Default Settings | No Action|
-| Client Computer Effective Default Settings | No Action|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | No Action|
+| DC Effective Default Settings | No Action|
+| Member Server Effective Default Settings | No Action|
+| Client Computer Effective Default Settings | No Action|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index b63e17c8c2..c8b07ad5e2 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -1,8 +1,8 @@
---
-title: Kerberos Policy
+title: Kerberos Policy
description: Describes the Kerberos Policy settings and provides links to policy setting descriptions.
ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ The Kerberos version 5 authentication protocol provides the default mechanism f
These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
-The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
+The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
countermeasures you can take, and the potential impact for each setting.
## In this section
@@ -40,7 +40,7 @@ countermeasures you can take, and the potential impact for each setting.
| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. |
| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. |
| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security |
-
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index 1e9c0d4b8b..7a97507fb3 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -1,8 +1,8 @@
---
-title: Load and unload device drivers
+title: Load and unload device drivers
description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
ms.assetid: 66262532-c610-470c-9792-35ff4389430f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators|
| Domain Controller Effective Default Settings | Administrators
Print Operators |
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ This section describes how an attacker might exploit a feature or its configurat
Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
>**Note:** You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
-
+
### Countermeasure
Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins.
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index c591706f9c..6be9e7a10f 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -1,8 +1,8 @@
---
-title: Lock pages in memory
+title: Lock pages in memory
description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting.
ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -35,7 +35,7 @@ Enabling this policy setting for a specific account (a user account or a process
> [!NOTE]
> By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
-
+
Constant: SeLockMemoryPrivilege
### Possible values
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index cecd34e77c..cd62546d27 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Log on as a batch job
+title: Log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting.
ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index d1f486957c..f96d6aad98 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Log on as a service
+title: Log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting.
ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. The po
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Network Service|
-| Member Server Effective Default Settings| Network Service|
-| Client Computer Effective Default Settings | Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Network Service|
+| Member Server Effective Default Settings| Network Service|
+| Client Computer Effective Default Settings | Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
+The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
attacker who has already reached that level of access could configure the service to run with the Local System account.
### Countermeasure
@@ -93,7 +93,7 @@ By definition, the Network Service account has the **Log on as a service** user
### Potential impact
-On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
+On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
assign the user right to the additional accounts that those components require. IIS requires this user right to be explicitly granted to the ASPNET user account.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index a2be818c7d..180e73d52d 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -1,8 +1,8 @@
---
-title: Manage auditing and security log
+title: Manage auditing and security log
description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting.
ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ Ensure that only the local Administrators group has the **Manage auditing and se
Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration.
>**Warning:** If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.
-
+
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index bdc180ccf0..a750dcb65c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for service ticket
+title: Maximum lifetime for service ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.
ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 600 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| DC Effective Default Settings | 600 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 600 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| DC Effective Default Settings | 600 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 43935998f5..6dc4d1607b 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket renewal
+title: Maximum lifetime for user ticket renewal
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.
ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 7 days|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 7 days|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 7 days|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 7 days|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
### Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
### Potential impact
-Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
+Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index 1d6f14a767..238e860228 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket
+title: Maximum lifetime for user ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.
ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 10 hours|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 10 hours|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 10 hours|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 10 hours|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 1e3180694c..a416e4543c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Maximum password age
+title: Maximum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security
The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
>**Note:** Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
-
+
### Possible values
- User-specified number of days between 0 and 999
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 42 days|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 42 days|
-| Domain controller effective default settings | 42 days|
-| Member server effective default settings | 42 days|
-| Effective GPO default settings on client computers| 42 days|
-
+| Default domain policy| 42 days|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 42 days|
+| Domain controller effective default settings | 42 days|
+| Member server effective default settings | 42 days|
+| Effective GPO default settings on client computers| 42 days|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
+The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
### Considerations
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index 5b2ae28406..fd26c1fd58 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -1,8 +1,8 @@
---
-title: Maximum tolerance for computer clock synchronization
+title: Maximum tolerance for computer clock synchronization
description: Best practices, location, values, policy management, and security considerations for the policy setting, Maximum tolerance for computer clock synchronization.
ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication.
-To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
+To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any timestamp that's used in a session between the two devices is considered to be authentic.
The possible values for this Group Policy setting are:
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 5 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings| 5 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 5 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings| 5 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index e4f7c05351..687a39281d 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,7 +1,7 @@
---
title: Microsoft network client Digitally sign communications (always)
description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 343e8a2eb7..a3d215db1a 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network client Send unencrypted password
+title: Microsoft network client Send unencrypted password
description: Learn about best practices and more for the security policy setting, Microsoft network client Send unencrypted password to third-party SMB servers.
ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 72d11c51b4..e79a912300 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Amount of idle time required before suspending session
+title: Microsoft network server Amount of idle time required before suspending session
description: Best practices, security considerations, and more for the policy setting, Microsoft network server Amount of idle time required before suspending session.
ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index f8096dec04..8fcc7102c7 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Attempt S4U2Self
+title: Microsoft network server Attempt S4U2Self
description: Learn about the security policy setting, Microsoft network server Attempt S4U2Self to obtain claim information.
ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
+This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.
When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied.
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings| Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings| Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
+None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
and Windows 8.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 4685a285de..030123cf61 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -3,12 +3,12 @@ title: Microsoft network server Digitally sign communications (always)
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index c560912610..b7f738611b 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Disconnect clients when sign-in hours expire
+title: Microsoft network server Disconnect clients when sign-in hours expire
description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when sign-in hours expire.
ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings| Enabled |
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index b0119771b5..c10cf64969 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Server SPN target name validation level
+title: Microsoft network server Server SPN target name validation level
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Server SPN target name validation level.
ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,7 +54,7 @@ The default setting is Off.
This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
>**Note:** All Windows operating systems support a client-side SMB component and a server-side SMB component.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -65,13 +65,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy | Off |
-| Default domain controller policy| Off|
-| Stand-alone server default settings | Off|
-| Domain controller effective default settings| Validation level check not implemented|
-| Member server effective default settings | Validation level check not implemented|
-| Effective GPO default settings on client computers | Validation level check not implemented|
-
+| Default domain policy | Off |
+| Default domain controller policy| Off|
+| Stand-alone server default settings | Off|
+| Domain controller effective default settings| Validation level check not implemented|
+| Member server effective default settings | Validation level check not implemented|
+| Effective GPO default settings on client computers | Validation level check not implemented|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index e42c7f62fc..67cf3aac2e 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Minimum password age
+title: Minimum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 11/13/2018
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Minimum password age
@@ -35,15 +35,15 @@ The **Minimum password age** policy setting determines the period of time (in da
### Best practices
-[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
-Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
-Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
-For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
-If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
+Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
+Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
+For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
+If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
The minimum password age of 1 day prevents that.
-If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
Otherwise, the user won't be able to change the password until the number of days specified by **Minimum password age**.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 1 day|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 0 days|
-| Domain controller effective default settings | 1 day|
-| Member server effective default settings | 1 day|
-| Effective GPO default settings on client computers| 1 day|
-
+| Default domain policy| 1 day|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 0 days|
+| Domain controller effective default settings | 1 day|
+| Member server effective default settings | 1 day|
+| Effective GPO default settings on client computers| 1 day|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 4ef50144bc..d264ff4033 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -1,8 +1,8 @@
---
-title: Minimum password length
+title: Minimum password length
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 03/30/2022
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index 0fe460d50d..e3f1d6decd 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -1,8 +1,8 @@
---
-title: Modify an object label
+title: Modify an object label
description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting.
ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
-The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
+The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest:
- **Untrusted** Default assignment for processes that are logged on anonymously.
@@ -62,13 +62,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
+Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts don't have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you're attempting to relabel.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index faff714347..5a2d90eb2c 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -1,8 +1,8 @@
---
-title: Modify firmware environment values
+title: Modify firmware environment values
description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting.
ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -61,13 +61,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO |Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Adminstrators|
-| Stand-Alone Server Default Settings | Adminstrators|
-| Domain Controller Effective Default Settings | Adminstrators|
-| Member Server Effective Default Settings | Adminstrators|
-| Client Computer Effective Default Settings | Adminstrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Adminstrators|
+| Stand-Alone Server Default Settings | Adminstrators|
+| Domain Controller Effective Default Settings | Adminstrators|
+| Member Server Effective Default Settings | Adminstrators|
+| Client Computer Effective Default Settings | Adminstrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index 164da34ecf..16e357e6c1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -1,8 +1,8 @@
---
-title: Network access Allow anonymous SID/Name translation
+title: Network access Allow anonymous SID/Name translation
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Allow anonymous SID/Name translation.
ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
The default value of this setting has changed between operating systems as follows:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index caccbb931a..9f3219cb41 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration
+title: Network access Do not allow anonymous enumeration
description: Learn about best practices and more for the security policy setting, Network access Do not allow anonymous enumeration of SAM accounts and shares.
ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 83888d29df..e737e440d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration of SAM accounts
+title: Network access Do not allow anonymous enumeration of SAM accounts
description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting.
ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 770a44407d..07e8b5d1cb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow storage of passwords and credentials for network authentication
+title: Network access Do not allow storage of passwords and credentials for network authentication
description: Learn about best practices and more for the security policy setting, Network access Do not allow storage of passwords and credentials for network authentication
ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/01/2021
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings| Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers |Disabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings| Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers |Disabled|
+
### Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -83,7 +83,7 @@ This section describes how an attacker might exploit a feature or its configurat
Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user.
>**Note:** The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.
-
+
Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. With the help of one of these utilities, an attacker can authenticate by using the overwritten value.
Overwriting the administrator's password doesn't help the attacker access data that is encrypted by using that password. Also, overwriting the password doesn't help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password doesn't help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) won't decrypt.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 618f7ffbc0..65f3d3d7c6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -1,8 +1,8 @@
---
-title: Let Everyone permissions apply to anonymous users
+title: Let Everyone permissions apply to anonymous users
description: Learn about best practices, security considerations and more for the security policy setting, Network access Let Everyone permissions apply to anonymous users.
ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index 7a1acb165d..311f70c3ef 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Named Pipes that can be accessed anonymously
+title: Network access Named Pipes that can be accessed anonymously
description: Describes best practices, security considerations and more for the security policy setting, Network access Named Pipes that can be accessed anonymously.
ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Netlogon, samr, lsarpc|
-| Stand-Alone Server Default Settings | Null|
-| DC Effective Default Settings | Netlogon, samr, lsarpc|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Netlogon, samr, lsarpc|
+| Stand-Alone Server Default Settings | Null|
+| DC Effective Default Settings | Netlogon, samr, lsarpc|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -79,15 +79,15 @@ You can restrict access over named pipes such as COMNAP and LOCATOR to help prev
| Named pipe | Purpose |
| - | - |
-| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
-| COMNODE| SNA Server named pipe.|
-| SQL\QUERY | Default named pipe for SQL Server.|
-| SPOOLSS | Named pipe for the Print Spooler service.|
-| EPMAPPER | End Point Mapper named pipe.|
-| LOCATOR | Remote Procedure Call Locator service named pipe.|
-| TrlWks | Distributed Link Tracking Client named pipe.|
-| TrkSvr | Distributed Link Tracking Server named pipe.|
-
+| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
+| COMNODE| SNA Server named pipe.|
+| SQL\QUERY | Default named pipe for SQL Server.|
+| SPOOLSS | Named pipe for the Print Spooler service.|
+| EPMAPPER | End Point Mapper named pipe.|
+| LOCATOR | Remote Procedure Call Locator service named pipe.|
+| TrlWks | Distributed Link Tracking Client named pipe.|
+| TrkSvr | Distributed Link Tracking Server named pipe.|
+
### Countermeasure
Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but don't specify named pipes in the text box).
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index 9c968a3f5c..12988a2e90 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths and subpaths
+title: Network access Remotely accessible registry paths and subpaths
description: Describes best practices, location, values, and security considerations for the policy setting, Network access Remotely accessible registry paths and subpaths.
ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions.
-The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
+The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
and they help protect it from access by unauthorized users.
To allow remote access, you must also enable the Remote Registry service.
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\Print\\Printers
@@ -99,7 +99,7 @@ Configure the **Network access: Remotely accessible registry paths and sub-paths
Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index dd86f8a026..3a1924da9a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths
+title: Network access Remotely accessible registry paths
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Remotely accessible registry paths.
ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\ProductOptions
@@ -90,7 +90,7 @@ Configure the **Network access: Remotely accessible registry paths** setting to
Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 30cbc5b78f..e45ad66787 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Restrict anonymous access to Named Pipes and Shares
+title: Network access Restrict anonymous access to Named Pipes and Shares
description: Best practices, security considerations, and more for the security policy setting, Network access Restrict anonymous access to Named Pipes and Shares.
ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ Describes the best practices, location, values, policy management and security c
## Reference
-This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
+This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources.
Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment.
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6b65885d98..587ae7e3a5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -7,12 +7,12 @@ ms.localizationpriority: medium
ms.date: 09/17/2018
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
---
# Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index dc0a2dda77..57882060a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Shares that can be accessed anonymously
+title: Network access Shares that can be accessed anonymously
description: Learn about best practices, security considerations, and more for the security policy setting, Network access Shares that can be accessed anonymously.
ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index c11be07eab..9665aaaaf7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Sharing and security model for local accounts
+title: Network access Sharing and security model for local accounts
description: Best practices, security considerations, and more for the security policy setting, Network access Sharing and security model for local accounts.
ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ This policy setting determines how network logons that use local accounts are au
>**Note:** This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services.
When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.
-
+
When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This privilege means that they'll probably be unable to write to shared folders. Although this restriction does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources.
### Possible values
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
-| DC Effective Default Settings | Classic (local users authenticate as themselves)|
-| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
-| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
+| DC Effective Default Settings | Classic (local users authenticate as themselves)|
+| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
+| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index a946a20ae9..04167671df 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -1,8 +1,8 @@
---
-title: Network List Manager policies
+title: Network List Manager policies
description: Network List Manager policies are security settings that configure different aspects of how networks are listed and displayed on one device or on many devices.
ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ The following policy settings are provided for Network List Manager Policies. Th
### Unidentified Networks
-This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
+This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting:
- **Location type**. For this item, the following options are available:
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index bdd1418a71..509602f606 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -2,7 +2,7 @@
title: "Network security: Allow Local System to use computer identity for NTLM (Windows 10)"
description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM.
ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/04/2021
ms.technology: itpro-security
---
@@ -34,11 +34,11 @@ When a service connects with the device identity, signing and encryption are sup
### Possible values
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - | - |
+| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This behavior is the default behavior. |
| Disabled| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. This behavior is the default behavior.| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously.|
-|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
-
+|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
-| Member server effective default settings | Not applicable|
-| Effective GPO default settings on client computers | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
+| Member server effective default settings | Not applicable|
+| Effective GPO default settings on client computers | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index fd87daba06..02d157f8db 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow LocalSystem NULL session fallback
+title: Network security Allow LocalSystem NULL session fallback
description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting.
ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
+This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session doesn't establish a unique session key for each authentication; and thus, it can't provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.
### Possible values
@@ -38,7 +38,7 @@ System will fall back to using NULL session authentication when they transmit da
- **Disabled**
- When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
+ When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
NULL session will still have full use of session security.
- Not defined. When this policy isn't defined, the default takes effect. This policy is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it's Disabled otherwise.
@@ -57,13 +57,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
| Member server effective default settings | Not applicable |
-| Effective GPO default settings on client computers | Not applicable|
-
+| Effective GPO default settings on client computers | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index abc5d527cd..202d37d4e5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow PKU2U authentication requests to this computer to use online identities
+title: Network security Allow PKU2U authentication requests to this computer to use online identities
description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/03/2022
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When devices are configured to accept authentication requests by using online ID
> [!NOTE]
> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
-
+
This policy isn't configured by default on domain-joined devices. This disablement would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later.
### Possible values
@@ -61,21 +61,21 @@ The following table lists the effective default values for this policy. Default
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
-| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
+| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 465adda6a7..5e1c37d2b4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -1,16 +1,16 @@
---
title: Network security Configure encryption types allowed for Kerberos
description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ For more information, see [KDC event ID 16 or 27 is logged if DES for Kerberos i
The following table lists and explains the allowed encryption types.
-
+
| Encryption type | Description and version support |
| - | - |
| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, and later operating systems don't support DES by default. |
@@ -91,7 +91,7 @@ Don't configure this policy. This disablement will force the computers running W
### Potential impact
If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
-
+
If you do select any encryption type, you'll lower the effectiveness of encryption for Kerberos authentication but you'll improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 7402fd0df1..c708a656d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -1,8 +1,8 @@
---
-title: Network security Do not store LAN Manager hash value on next password change
+title: Network security Do not store LAN Manager hash value on next password change
description: Best practices, security considerations, and more for the security policy setting, Network security Do not store LAN Manager hash value on next password change.
ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings|Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings|Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 99826613ed..665eee915f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Network security Force logoff when logon hours expire
+title: Network security Force logoff when logon hours expire
description: Best practices, location, values, policy management, and security considerations for the policy setting, Network security Force logoff when logon hours expire.
ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Disabled|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Disabled|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index c6847770d4..57246a6f27 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -1,8 +1,8 @@
---
-title: Network security LAN Manager authentication level
+title: Network security LAN Manager authentication level
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.
ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,18 +50,18 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it's
- Send NTLMv2 responses only. Refuse LM & NTLM
- Not Defined
-The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
+The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting.
| Setting | Description | Registry security level |
| - | - | - |
-| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
-| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
-| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
-| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
-| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
-| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
-
+| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
+| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
+| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
+| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
+| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
+| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
+
### Best practices
- Best practices are dependent on your specific security and authentication requirements.
@@ -80,13 +80,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Send NTLMv2 response only|
-| DC Effective Default Settings | Send NTLMv2 response only|
-| Member Server Effective Default Settings | Send NTLMv2 response only|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Send NTLMv2 response only|
+| DC Effective Default Settings | Send NTLMv2 response only|
+| Member Server Effective Default Settings | Send NTLMv2 response only|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 3232a699e0..2199e96b47 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -1,8 +1,8 @@
---
-title: Network security LDAP client signing requirements
+title: Network security LDAP client signing requirements
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LDAP client signing requirements.
ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Negotiate signing|
-| DC Effective Default Settings | Negotiate signing|
-| Member Server Effective Default Settings | Negotiate signing|
-| Client Computer Effective Default Settings | Negotiate signing|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Negotiate signing|
+| DC Effective Default Settings | Negotiate signing|
+| Member Server Effective Default Settings | Negotiate signing|
+| Client Computer Effective Default Settings | Negotiate signing|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index cd6838a4f8..5bda79521f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
description: Best practices and more for the security policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) clients.
ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/27/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 701259d037..ebae59999d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
description: Best practices and security considerations for the policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) servers.
ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 754a7cbc0e..b0e28dc0b1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
+title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
description: Best practices, security considerations, and more for the policy setting, Network security Restrict NTLM Add remote server exceptions for NTLM authentication.
ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings| Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings| Not defined|
+
## Policy management
This section describes the features and tools that are available to help you manage this policy.
@@ -90,14 +90,14 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked.
If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM.
### Countermeasure
-When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
+When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
servers in your environment. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index c0ebdc1ba5..b6aa571487 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add server exceptions in this domain
+title: Network security Restrict NTLM Add server exceptions in this domain
description: Best practices, security considerations, and more for the security policy setting, Network security Restrict NTLM Add server exceptions in this domain.
ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,12 +59,12 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
| Default domain policy| Not defined |
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -89,10 +89,10 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request.
-If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
+If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
weaknesses in NTLM.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index d5104ea5b7..c81152a791 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Audit incoming NTLM traffic
+title: Network security Restrict NTLM Audit incoming NTLM traffic
description: Best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM Audit incoming NTLM traffic.
ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When this audit policy is enabled within Group Policy, it's enforced on any serv
When you enable this policy on a server, only authentication traffic to that server will be logged.
-When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
+When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
authentication traffic in your environment, and when you're ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**.
### Possible values
@@ -66,13 +66,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index dbc99216c2..f79dd47f62 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM Audit NTLM authentication in this domain
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
- **Enable all**
-
+
The domain controller on which this policy is set will log all events for incoming NTLM traffic.
### Best practices
@@ -61,13 +61,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
+NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
### Vulnerability
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 3a547350da..5f964c33cc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Incoming NTLM traffic
+title: Network security Restrict NTLM Incoming NTLM traffic
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Incoming NTLM traffic.
ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -60,13 +60,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
+| Default domain policy| Not defined|
| Default domain controller policy | Not defined |
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -101,7 +101,7 @@ When it has been determined that the NTLM authentication protocol shouldn't be u
### Potential impact
-If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
+If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md).
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 61092a99fc..8b9e4f8973 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM in this domain
description: Learn about best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -63,13 +63,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not configured|
-| Default domain controller policy | Not configured|
+| Default domain policy| Not configured|
+| Default domain controller policy | Not configured|
| Stand-alone server default settings | Not configured|
-| Domain controller effective default settings | Not configured|
-| Member server effective default settings | Not configured |
-| Client computer effective default settings | Not configured|
-
+| Domain controller effective default settings | Not configured|
+| Member server effective default settings | Not configured |
+| Client computer effective default settings | Not configured|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -100,7 +100,7 @@ Malicious attacks on NTLM authentication traffic resulting in a compromised serv
### Countermeasure
-When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
+When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
within the domain.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 5aedc2eb5b..4869db61ec 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Outgoing traffic
+title: Network security Restrict NTLM Outgoing traffic
description: Learn about best practices, security considerations and more for the policy setting, Network Security Restrict NTLM Outgoing NTLM traffic to remote servers.
ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/15/2022
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ Describes the best practices, location, values, management aspects, and security
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
>**Warning:** Modifying this policy setting may affect compatibility with client computers, services, and applications.
-
+
### Possible values
- **Allow all**
@@ -65,13 +65,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 34f17b6527..a00661af55 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index 70396092e7..1d6e578b5c 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -1,8 +1,8 @@
---
-title: Password Policy
+title: Password Policy
description: An overview of password policies for Windows and links to information for each policy setting.
ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,14 +50,14 @@ The following topics provide a discussion of password policy implementation and
| Topic | Description |
| - | - |
-| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
-| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
-| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
-| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
+| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
+| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
+| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
+| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.|
-| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
-
+| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index e74ff5c974..15ffdec99c 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -1,8 +1,8 @@
---
-title: Perform volume maintenance tasks
+title: Perform volume maintenance tasks
description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting.
ms.assetid: b6990813-3898-43e2-8221-c9c06d893244
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index f77e48438c..2bdc87455f 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -1,8 +1,8 @@
---
-title: Profile single process
+title: Profile single process
description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting.
ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index 9c7b9de8c4..6be8f9269b 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -1,8 +1,8 @@
---
-title: Profile system performance
+title: Profile system performance
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Profile system performance.
ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 34e5e2b851..590b49f09b 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow automatic administrative logon
+title: Recovery console Allow automatic administrative logon
description: Best practices, location, values, policy management, and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index fdb56ca78e..08ca6beb3f 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow floppy copy and access to all drives and folders
+title: Recovery console Allow floppy copy and access to all drives and folders
description: Best practices, security considerations, and more for the policy setting, Recovery console Allow floppy copy and access to all drives and folders.
ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index c0f395231c..253213f2c1 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -1,8 +1,8 @@
---
-title: Remove computer from docking station - security policy setting
+title: Remove computer from docking station - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 5079dab92d..d180d2acea 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -1,8 +1,8 @@
---
-title: Replace a process level token
+title: Replace a process level token
description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting.
ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
+| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Network Service
Local Service |
-| Stand-Alone Server Default Settings | Network Service
Local Service|
-| Domain Controller Effective Default Settings | Network Service
Local Service|
-| Member Server Effective Default Settings | Network Service
Local Service|
-| Client Computer Effective Default Settings | Network Service
Local Service|
-
+| Stand-Alone Server Default Settings | Network Service
Local Service|
+| Domain Controller Effective Default Settings | Network Service
Local Service|
+| Member Server Effective Default Settings | Network Service
Local Service|
+| Client Computer Effective Default Settings | Network Service
Local Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index ec962f77e0..44c6716d50 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -1,8 +1,8 @@
---
-title: Reset account lockout counter after
+title: Reset account lockout counter after
description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.
ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -38,7 +38,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
### Best practices
-Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
+Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not applicable|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not applicable|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not applicable|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index ca2b72c717..f970ac8154 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Restore files and directories - security policy setting
+title: Restore files and directories - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-|Default Domain Policy | |
-| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+|Default Domain Policy | |
+| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,7 +93,7 @@ This section describes how an attacker might exploit a feature or its configurat
An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
>**Note:** Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
-
+
### Countermeasure
Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 7efca79530..78ea3fcb09 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policy settings in brief
+title: Advanced security audit policy settings in brief
description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 39d6b0489e..de522cb6d3 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -1,7 +1,7 @@
---
title: Security options
description: Introduction to the Security Options settings of the local security policies plus links to more information.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Security Options
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index 259ebfec01..9db7d59a20 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings reference
+title: Security policy settings reference
description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,10 +33,10 @@ Each policy setting described contains referential content such as a detailed ex
| Topic | Description |
| - | - |
-| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
-| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
-| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
-| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
+| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
+| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
+| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
+| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. |
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 397c3a1138..062aa06d3d 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings
+title: Security policy settings
description: This reference topic describes the common scenarios, architecture, and processes for security settings.
ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index f6a3fe8228..def26ab7ef 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -1,8 +1,8 @@
---
-title: Shut down the system - security policy setting
+title: Shut down the system - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index a21dde7fda..672e91297b 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Allow system to be shut down without having to log on
+title: Shutdown Allow system to be shut down without having to log on
description: Best practices, security considerations, and more for the security policy setting Shutdown Allow system to be shut down without having to log on.
ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the **Shut Down** option is available on the sign-in screen in Windows. If you disable this setting, the **Shut Down** option is removed from the screen. To use the option, the user must sign in on the device successfully and have the **Shut down the system** user right.
-Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
+Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
condition from a local console by restarting or shutting down the server.
### Possible values
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 7c6df9fb82..b40140dc0f 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Clear virtual memory pagefile
+title: Shutdown Clear virtual memory pagefile
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,12 +12,12 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
-# Shutdown: Clear virtual memory pagefile
+# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 11
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
>**Caution:** An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
-
+
### Countermeasure
Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index adb43f0fea..6b4584688f 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -1,8 +1,8 @@
---
-title: Store passwords using reversible encryption
+title: Store passwords using reversible encryption
description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information.
-If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
+If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
Information Services (IIS) also requires that you enable this policy setting.
### Possible values
@@ -42,7 +42,7 @@ Information Services (IIS) also requires that you enable this policy setting.
Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
>**Note:** Do not enable this policy setting unless business requirements outweigh the need to protect password information.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Disabled|
-| Default domain controller policy| Disabled|
-| Stand-alone server default settings | Disabled|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers | Disabled|
-
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 3949729b08..6744567fe3 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -1,8 +1,8 @@
---
-title: Synchronize directory service data
+title: Synchronize directory service data
description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting.
ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index ce8f451033..597b9027a0 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Force strong key protection for user keys stored on the computer
+title: System cryptography Force strong key protection for user keys stored on the computer
description: Best practices, security considerations, and more for the policy setting, System cryptography Force strong key protection for user keys stored on the computer.
ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings| Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings| Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 2d223e79b3..d660ac1952 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
+title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
description: Best practices, security considerations, and more for the policy setting System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/16/2018
ms.technology: itpro-security
---
@@ -27,12 +27,12 @@ This security policy reference topic for the IT professional describes the best
## Reference
-The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
+The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
United States federal government.
**TLS/SSL**
-This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
+This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
**Encrypting File System (EFS)**
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
@@ -86,11 +86,11 @@ When this setting is enabled, BitLocker generates recovery password or recovery
| Operating systems | Applicability |
| - | - |
-| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
-| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-
+| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
+| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -117,7 +117,7 @@ Enable the **System cryptography: Use FIPS compliant algorithms for encryption,
### Potential impact
-Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
+Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index ae93fe4482..3694fe2434 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System objects Require case insensitivity for non-Windows subsystems
+title: System objects Require case insensitivity for non-Windows subsystems
description: Best practices, security considerations and more for the security policy setting, System objects Require case insensitivity for non-Windows subsystems.
ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 74bf9dee10..8358279b2d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -1,8 +1,8 @@
---
-title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
+title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (for example, Symbolic Links).
ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index af54bf48ab..ef7ca4315a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System settings Optional subsystems
+title: System settings Optional subsystems
description: Describes the best practices, location, values, policy management, and security considerations for the System settings Optional subsystems security policy setting.
ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | POSIX|
-| DC Effective Default Settings | POSIX|
-| Member Server Effective Default Settings| POSIX|
-| Client Computer Effective Default Settings | POSIX|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | POSIX|
+| DC Effective Default Settings | POSIX|
+| Member Server Effective Default Settings| POSIX|
+| Client Computer Effective Default Settings | POSIX|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 81fce5ee99..fee999b57a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -1,8 +1,8 @@
---
-title: System settings Use certificate rules on Windows executables for Software Restriction Policies
+title: System settings Use certificate rules on Windows executables for Software Restriction Policies
description: Best practices and more for the security policy setting, System settings Use certificate rules on Windows executables for Software Restriction Policies.
ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -37,7 +37,7 @@ This policy setting determines whether digital certificates are processed when s
### Best practices
-- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
+- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
### Location
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 179d04747b..39152767a9 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -1,8 +1,8 @@
---
-title: Take ownership of files or other objects
+title: Take ownership of files or other objects
description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
denial-of-service condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index d4b0a95f6a..58989112e3 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Admin Approval Mode for the Built-in Administrator account
+title: User Account Control Admin Approval Mode for the Built-in Administrator account
description: Best practices, security considerations, and more for the policy setting, User Account Control Admin Approval Mode for the Built-in Administrator account.
ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
> [!NOTE]
> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
-
+
### Possible values
- Enabled
@@ -49,7 +49,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Location
@@ -62,12 +62,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 4d0f0eac5b..eb9a42ffeb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
+title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
description: Best practices and more for the policy setting, User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop.
ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
>**Note:** This setting does not change the behavior of the UAC elevation prompt for administrators.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -39,7 +39,7 @@ Microsoft UI Automation is the current model to support accessibility requiremen
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
-If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
checks before starting an application with UIAccess privilege.
1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer.
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO| Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index b5175062ac..8acd28314d 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
+title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
description: Best practices and more for the security policy setting, User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode.
ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
Assumes that the administrator will permit an operation that requires elevation, and more consent or credentials aren't required.
**Note** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
-
+
- **Prompt for credentials on the secure desktop**
When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -60,7 +60,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
\*If you've enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Best practices
@@ -77,13 +77,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
+| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
-| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
-
+| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
+| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 1d3ea2ed65..6a471c51bb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -5,7 +5,7 @@ ms.author: vinpa
ms.prod: windows-client
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/18/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index b18e302adf..ea22f7f177 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Detect application installations and prompt for elevation
+title: User Account Control Detect application installations and prompt for elevation
description: Learn about best practices and more for the security policy setting, User Account Control Detect application installations and prompt for elevation.
ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index e7e8643f8e..92d124a4f7 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Only elevate executables that are signed and validated
+title: User Account Control Only elevate executables that are signed and validated
description: Best practices, security considerations, and more for the security policy setting, User Account Control Only elevate executables that are signed and validated.
ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 564d86f514..4aad366985 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -1,8 +1,8 @@
---
-title: Only elevate UIAccess app installed in secure location
+title: Only elevate UIAccess app installed in secure location
description: Learn about best practices and more for the policy setting, User Account Control Only elevate UIAccess applications that are installed in secure locations.
ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ This policy setting enforces the requirement that apps that request running with
- \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
>**Note:** Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -75,13 +75,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 8502ded0f0..97d8752204 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 90d853997d..9059607fe2 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Switch to the secure desktop when prompting for elevation
+title: User Account Control Switch to the secure desktop when prompting for elevation
description: Best practices, security considerations, and more for the policy setting, User Account Control Switch to the secure desktop when prompting for elevation.
ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -45,7 +45,7 @@ The secure desktop’s primary difference from the user desktop is that only tru
### Best practices
-- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
+- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
processes.
### Location
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index e7bf8758a8..adb9f83c7e 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Virtualize file and registry write failures to per-user locations
+title: User Account Control Virtualize file and registry write failures to per-user locations
description: Best practices, security considerations and more for the policy setting, User Account Control Virtualize file and registry write failures to per-user locations.
ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value|
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 17f39e5b1f..3ca31c4fe8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -1,8 +1,8 @@
---
-title: User Rights Assignment
+title: User Rights Assignment
description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 12/16/2021
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ ms.technology: itpro-security
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.
-Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
+Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
@@ -38,53 +38,53 @@ The following table links to each security policy setting and provides the const
| Group Policy Setting | Constant Name |
| - | - |
-| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
-| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
-| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
-| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
-| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
-| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
+| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
+| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
+| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
+| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
+| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
+| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight|
-| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
-| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
-| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
-| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
-| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
-| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
-| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
-| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
-| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
-| [Debug programs](debug-programs.md) | SeDebugPrivilege|
+| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
+| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
+| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
+| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
+| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
+| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
+| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
+| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
+| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
+| [Debug programs](debug-programs.md) | SeDebugPrivilege|
| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight |
-| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
+| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight |
-| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
-| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
-| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
-| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
-| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
-| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
-| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
-| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
-| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
-| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
-| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
-| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
-| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
-| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
-| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
+| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
+| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
+| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
+| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
+| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
+| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
+| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
+| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
+| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
+| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
+| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
+| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
+| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
+| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
+| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege|
-| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
-| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
-| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
-| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
-| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
+| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
+| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
+| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
+| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
+| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege |
-| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
-| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
-| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
+| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
+| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+
-
## Related topics
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index c9468c7091..c40a04c723 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -20,6 +20,8 @@
- name: Windows 10
expanded: true
items:
+ - name: Extended Security Updates (ESU) program for Windows 10
+ href: extended-security-updates.md
- name: What's new in Windows 10, version 22H2
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 2e3845bfba..a612bfb38e 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 11/07/2023
+ms.date: 12/20/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -19,7 +19,7 @@ appliesto:
# Deprecated features for Windows client
-Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
+Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
@@ -27,6 +27,17 @@ To understand the distinction between *deprecation* and *removal*, see [Windows
The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
+> [!TIP]
+> You can use RSS to be notified when this page is updated. For example, the following RSS link includes this article:
+>
+> ``` url
+> https://learn.microsoft.com/api/search/rss?search=%22details+about+the+features+and+functionalities+that+are+no+longer+being+developed+in+Windows%22&locale=en-us&%24filter=%28category+eq+%27Documentation%27%29
+> ```
+>
+> This example includes the `&locale=en-us` variable. The `locale` variable is required, but you can change it to another supported locale. For example, `&locale=ja-jp`.
+>
+> For more information on using RSS for notifications, see [How to use the docs](/mem/use-docs#notifications) in the Intune documentation.
+
## Deprecated features
**The following list is subject to change and might not include every affected feature or functionality.**
@@ -34,18 +45,24 @@ The features in this article are no longer being actively developed, and might b
> [!NOTE]
> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
-|Feature | Details and mitigation | Deprecation announced |
-| --- | --- | --- |
+| Feature | Details and mitigation | Deprecation announced |
+|---|---|---|
+| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in a future release of Windows. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, and [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality) and Steam VR Beta. | December 2023 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. | December 2023 |
+| Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
+| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
+| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
+| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 |
| Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 |
-| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
+| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
| Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 |
-| Remote Mailslots | Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
+| Remote Mailslots | Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
| Timeline for Microsoft Entra accounts | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
| VBScript | VBScript is deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
-| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
-| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
-| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
+| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
+| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
+| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
@@ -82,7 +99,7 @@ The features in this article are no longer being actively developed, and might b
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
-|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software vendor. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
+|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 |
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index ec64e498bc..21719523a0 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -38,12 +38,12 @@
"ms.collection": [
"tier2"
],
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-whats-new",
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
new file mode 100644
index 0000000000..01fdfd6394
--- /dev/null
+++ b/windows/whats-new/extended-security-updates.md
@@ -0,0 +1,74 @@
+---
+title: Extended Security Updates (ESU) program for Windows 10
+description: Learn about the Extended Security Updates (ESU) program for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10.
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.date: 11/01/2023
+ms.collection:
+ - highpri
+ - tier2
+appliesto:
+ - ✅ Windows 10
+---
+
+# Extended Security Updates (ESU) program for Windows 10
+
+
+The Windows 10 Extended Security Updates (ESU) program gives customers the option to receive security updates for PCs enrolled in the program. ESU is a paid program that provides individuals and organizations of all sizes with the option to extend the use of Windows 10 devices past the end of support date in a more secure manner. For more information about the Windows 10 lifecycle, see the [Windows Lifecycle FAQ](/lifecycle/faq/windows).
+
+Individuals or organizations who elect to continue using Windows 10 after support ends on October 14, 2025, will have the option of enrolling their PCs into a paid ESU subscription. The ESU program enables PCs to continue to receive critical and important security updates through an annual subscription service after support ends. The [Microsoft Security Response Center](https://msrc.microsoft.com/) defines the [severity rating for security updates](https://www.microsoft.com/msrc/security-update-severity-rating-system).
+
+
+## Device prerequisites
+
+To be eligible to install updates from the ESU program, devices must be running Windows 10, version 22H2.
+
+## Limitations
+
+ESUs doesn't include the following items:
+
+- New features
+- Customer-requested nonsecurity updates
+- Design change requests
+- General support won't be provided for Windows versions past the end of support date. Support will be available only to those organizations that purchase ESU for specific situations concerning the security updates. To get technical support, organizations must have an active [support plan](https://www.microsoft.com/enterprise/services/unified-support-solutions) in place.
+
+## Frequently asked questions
+
+The following are frequently asked questions about the ESU program for Windows 10:
+
+### How much does ESU cost?
+
+Final pricing and enrollment conditions will be made available closer to the October 2025 date for end of support, approximately one year before the end of support for Windows 10. ESU will be free for all Windows 365 customers. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
+### Is there a minimum license purchase requirement for Windows 10 ESU?
+
+There are no minimum license purchase requirements for Windows 10 ESU.
+
+### Can ESUs be purchased for a specific duration?
+
+Customers can't buy partial periods, for instance, only six months. Extended Security Updates are transacted per year (12-month period), starting with the end of support date.
+
+### When will the ESU offer be available for licensing?
+
+Windows 10 ESU will be available in volume licensing starting about 12 months before the end of support date of Windows 10, or late 2024.
+
+### How long can I get security updates for?
+
+Enrolled PCs belonging to a commercial or educational organization can receive security updates for a maximum of three years after end of support for Windows 10.
+
+### Is technical support included in ESU?
+
+No, technical support isn't included in the ESU program. Microsoft will provide support for customers that encounter challenges related to the ESU.
+
+### Will Windows 10 PCs stop working without the ESU offering?
+
+Windows 10 PCs will continue to work, but we recommend customers upgrade eligible PCs to Windows 11 using Windows Autopatch, Microsoft Intune, or transition to a new Windows 11 PC for the best, most secure computing experience. Customers also have the option to migrate to the cloud and subscribe to Windows 365 to make Windows 11 available to users on any device with a Cloud PC. Beginning October 14, 2025, Microsoft will no longer provide the following for versions of Windows 10 that reach end of support on that date:
+
+- Technical support
+- Feature updates or new features
+- Quality updates (including security and reliability fixes)
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index ffbc2050c9..0c963dd3b4 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -6,9 +6,9 @@ ms.localizationpriority: medium
author: mestew
manager: aaroncz
ms.author: mstewart
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 10/28/2022
+ms.date: 12/15/2023
ms.collection:
- highpri
- tier2
@@ -18,7 +18,7 @@ appliesto:
---
# Windows client features lifecycle
-Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
+Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there's a better option.
## Windows 11 features
@@ -26,24 +26,24 @@ For information about features that are impacted when you upgrade from Windows 1
## Features no longer being developed
-The following topic lists features that are no longer being developed. These features might be removed in a future release.
+The following article lists features that are no longer being developed. These features might be removed in a future release.
[Deprecated Windows features](deprecated-features.md)
## Features removed
-The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
+The following article has details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
[Removed Windows features](removed-features.md)
## Terminology
-The following terms can be used to describe the status that might be assigned to a feature during its lifecycle:
+The following terms can be used to describe the status that might be assigned to a feature during its lifecycle:
- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
-- **Retirement**: The stage of the product lifecycle when an service is shut down so that it is no longer available for use.
-- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from a service after it has been deprecated.
+- **Retirement**: The stage of the product lifecycle when a service is shut down so that it's no longer available for use.
+- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is taken out of a service after it has been marked as deprecated. The feature is removed from newer versions of Windows, but still exists in older versions and is supported until those versions reach **end of support** stage.
- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in a service is replaced with a different feature or functionality.
## Also see
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 88f1b323b1..c34ac91e0d 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -48,12 +48,13 @@ landingContent:
linkLists:
- linkListType: whats-new
links:
+ - text: Extended Security Updates (ESU) program for Windows 10
+ url: extended-security-updates.md
- text: What's new in Windows 10, version 22H2
url: whats-new-windows-10-version-22h2.md
- text: What's new in Windows 10, version 21H2
url: whats-new-windows-10-version-21h2.md
- - text: What's new in Windows 10, version 21H1
- url: whats-new-windows-10-version-21h1.md
+
- title: Learn more
linkLists:
diff --git a/windows/whats-new/ltsc/index.yml b/windows/whats-new/ltsc/index.yml
index 4744f04260..aecd90e01a 100644
--- a/windows/whats-new/ltsc/index.yml
+++ b/windows/whats-new/ltsc/index.yml
@@ -15,7 +15,7 @@ metadata:
author: mestew
ms.author: mstewart
manager: aaroncz
- ms.date: 05/22/2023
+ ms.date: 12/18/2023
localization_priority: medium
landingContent:
diff --git a/windows/whats-new/ltsc/overview.md b/windows/whats-new/ltsc/overview.md
index 2faae9d8de..77fdc1e229 100644
--- a/windows/whats-new/ltsc/overview.md
+++ b/windows/whats-new/ltsc/overview.md
@@ -1,6 +1,6 @@
---
title: Windows 10 Enterprise LTSC overview
-description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
+description: An overview of the Windows 10 long-term servicing channel (LTSC).
ms.prod: windows-client
author: mestew
ms.author: mstewart
@@ -8,42 +8,43 @@ manager: aaroncz
ms.localizationpriority: low
ms.topic: overview
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC
---
# Windows 10 Enterprise LTSC
-This article provides links to information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
+This article provides general information about the Windows 10 Enterprise long-term servicing channel (LTSC). For more information about the features in each available version of the Windows 10 LTSC, see the following articles:
-[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
-[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
-[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
-[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
+- [What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
+- [What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
+- [What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
+- [What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
-## The Long-Term Servicing Channel (LTSC)
+## The long-term servicing channel (LTSC)
-The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases.
+The following table summarizes equivalent feature update versions of Windows 10 LTSC and general availability channel (GA channel) releases:
-| LTSC release | Equivalent GA Channel release | Availability date |
+| LTSC release | Equivalent GA channel release | Availability date |
| --- | --- | --- |
-| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
-| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
-| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 |
| Windows 10 Enterprise LTSC 2021 | Windows 10, Version 21H2 | 11/16/2021 |
+| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
+| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
> [!NOTE]
-> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
+> The long-term servicing channel was previously called the long-term servicing branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
-With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades, or even skip releases. Microsoft is committed to providing bug fixes and security patches for each LTSC release during the extended LTSC servicing lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product lifecycle information](/lifecycle/products/) page.
+With the LTSC servicing model, you can delay receiving *feature* updates and instead only receive monthly *quality* updates on devices. Features from Windows 10 that could be updated with new functionality, including Microsoft Edge and in-box Windows apps, are also not included. Feature updates are offered in new LTSC releases every several years instead of every few months. You can choose to install them as in-place upgrades, or even skip releases, what's best for your business requirements. Microsoft is committed to providing bug fixes and security patches for each LTSC release during the extended LTSC servicing lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or search the [product lifecycle information](/lifecycle/products/) page.
> [!IMPORTANT]
-> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
-
-For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
+> The long-term servicing channel isn't intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides a deployment option for special-purpose devices and environments. These devices typically do a single important task and don't need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC doesn't change for the lifetime of the release, over time there might be some external tools that don't continue to provide legacy support. For more information, see [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
-## See Also
+For more information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
-[What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
+## See also
+
+- [What's new in Windows](../index.yml): See what's new in other versions of Windows.
+
+- [Windows 10 release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index da9e6df080..66b1088247 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -2,20 +2,23 @@
title: What's new in Windows 10 Enterprise LTSC 2015
manager: aaroncz
ms.author: mstewart
-description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
+description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
ms.prod: windows-client
author: mestew
ms.localizationpriority: low
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 02/26/2023
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2015
---
# What's new in Windows 10 Enterprise LTSC 2015
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
+This article lists new and updated features and content that are of interest to IT pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
+
+> [!NOTE]
+> Windows 10 Enterprise LTSC 2015 was first available on July 29, 2015. Features in Windows 10 Enterprise LTSC 2015 are equivalent to Windows 10, version 1507.
## Deployment
@@ -29,24 +32,24 @@ With Windows 10, you can create provisioning packages that let you quickly and e
### AppLocker
-AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker) for a list of operating system requirements.
+AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker) for a list of operating system requirements.
Enhancements to AppLocker in Windows 10 include:
- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**.
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
-[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
+[Learn how to manage AppLocker within your organization](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview).
### BitLocker
Enhancements to AppLocker in Windows 10 include:
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online.
-- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
-- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
+- **Encrypt and recover your device with Microsoft Entra**. In addition to using a Microsoft Account, automatic device encryption can now encrypt your devices that are joined to a Microsoft Entra domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Microsoft Entra. This escrow will make it easier to recover your BitLocker key online.
+- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more information, see [BitLocker preboot recovery screen](/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen).
-[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
+[Learn how to deploy and manage BitLocker within your organization](/windows/security/operating-system-security/data-protection/bitlocker/).
### Certificate management
@@ -54,20 +57,22 @@ For Windows 10-based devices, you can use your MDM server to directly deploy cli
### Microsoft Passport
-In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+In Windows 10, [Microsoft Passport](/windows/security/identity-protection/hello-for-business/deploy/requirements) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
+Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Entra ID account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
### Security auditing
In Windows 10, security auditing has added some improvements:
+
- [New audit subcategories](#bkmk-auditsubcat)
- [More info added to existing audit events](#bkmk-moreinfo)
#### New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+
+- [Audit Group Membership](/windows/security/threat-protection/auditing/audit-handle-manipulation) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event.
- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
@@ -76,6 +81,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Poli
#### More info added to existing audit events
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+
- [Changed the kernel default audit policy](#bkmk-kdal)
- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
- [Added new fields in the logon event](#bkmk-logon)
@@ -96,6 +102,7 @@ This process-when enabled-can help identify attacks that steal credentials from
#### New fields in the sign-in event
The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+
1. **MachineLogon** String: yes or no
If the account that signed in to the PC is a computer account, this field will be yes. Otherwise, the field is no.
2. **ElevatedToken** String: yes or no
@@ -109,7 +116,6 @@ The sign-in event ID 4624 has been updated to include more verbose information t
A list of all of the groups in the user's token.
6. **RestrictedAdminMode** String: yes or no
If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
- For more info on restricted admin mode, see [Restricted Admin mode for RDP](/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2).
#### New fields in the process creation event
@@ -156,24 +162,25 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
#### New PNP events
-Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
-
-[Learn how to manage your security audit policies within your organization](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319078(v=ws.11))
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn't expect this type of action, such as a domain controller.
### Trusted Platform Module
#### New TPM features in Windows 10
The following sections describe the new and changed functionality in the TPM for Windows 10:
+
- [Device health attestation](#bkmk-dha)
-- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
-- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
-- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
+- [Microsoft Passport](/windows/security/identity-protection/hello-for-business/deploy/requirements) support
+- [Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) support
+- [Credential Guard](/windows/security/identity-protection/credential-guard/) support
### Device health attestation
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+
Some things that you can check on the device are:
+
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
- Is SecureBoot supported and enabled?
@@ -181,7 +188,7 @@ Some things that you can check on the device are:
> [!NOTE]
> The device must be running Windows 10 and it must support at least TPM 2.0.
-[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
+[Learn how to deploy and manage TPM within your organization](/windows/security/hardware-security/tpm/trusted-platform-module-overview).
### User Account Control
@@ -189,13 +196,13 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he
You shouldn't turn off UAC because such a setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10.
-For more info about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
+For more info about how to manage UAC, see [UAC group policy settings and registry key settings](/windows/security/application-security/application-control/user-account-control/settings-and-configuration).
In Windows 10, User Account Control has added some improvements:
- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
-[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
+[Learn how to manage User Account Control within your organization](/windows/security/application-security/application-control/user-account-control/).
### VPN profile options
@@ -207,7 +214,7 @@ Windows 10 provides a set of VPN features that both increase enterprise security
- Lock down VPN
- Integration with Microsoft Passport for Work
-[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
+[Learn more about the VPN options in Windows 10.](/windows/security/operating-system-security/network-security/vpn/vpn-profile-options)
## Management
@@ -216,11 +223,11 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops
### MDM support
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Entra ID accounts, full control over the Microsoft Store, VPN configuration, and more.
-MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
+MDM support in Windows 10 is based on Open Mobile Alliance (OMA) Device Management (DM) protocol 1.2.1 specification.
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for mobile device management for Windows 10](/windows/client-management/mdm/)
### Unenrollment
@@ -265,17 +272,17 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
## Updates
-Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft's Windows Update service.
-By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+By using group policy objects, Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
-- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security).
+- **Use with existing tools** such as Microsoft Intune and Configuration Manager.
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as Windows Server Update Services (WSUS) and [Microsoft Configuration Manager](/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index ba451305fd..9a932a1ef1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -2,29 +2,29 @@
title: What's new in Windows 10 Enterprise LTSC 2016
manager: aaroncz
ms.author: mstewart
-description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
+description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
ms.prod: windows-client
author: mestew
ms.localizationpriority: low
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2016
---
# What's new in Windows 10 Enterprise LTSC 2016
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
+This article lists new and updated features and content that are of interest to IT pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
->[!NOTE]
->Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
+> [!NOTE]
+> Windows 10 Enterprise LTSC 2016 was first available on August 2, 2016. Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
## Deployment
### Windows Imaging and Configuration Designer (ICD)
-In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK](/windows-hardware/get-started/adk-install).
Windows ICD now includes simplified workflows for creating provisioning packages:
@@ -39,7 +39,7 @@ Windows ICD now includes simplified workflows for creating provisioning packages
>[!IMPORTANT]
>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release.
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft's experience upgrading millions of devices to Windows 10.
With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft.
@@ -69,11 +69,11 @@ When Windows 10 was first shipped, it included Microsoft Passport and Windows He
Other changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Personal (Microsoft account) and corporate (Active Directory or Entra ID) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
-[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
+[Learn more about Windows Hello for Business.](/windows/security/identity-protection/hello-for-business/deploy/requirements)
### BitLocker
@@ -101,7 +101,7 @@ Other changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
@@ -125,20 +125,20 @@ Several new features and management options have been added to Windows Defender
With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+[Learn more about Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
### VPN security
-- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Microsoft Entra ID, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
-- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
## Management
-### Use Remote Desktop Connection for PCs joined to Azure Active Directory
+### Use Remote Desktop Connection for PCs joined to Microsoft Entra ID
-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Microsoft Entra ID. [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
### Taskbar configuration
@@ -146,7 +146,7 @@ Enterprise administrators can add and remove pinned apps from the taskbar. Users
### Mobile device management and configuration service providers (CSPs)
-Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607).
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
### Shared PC mode
@@ -154,9 +154,9 @@ This version of Windows 10, introduces shared PC mode, which optimizes Windows 1
### Application Virtualization (App-V) for Windows 10
-Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
+Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service - in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
+With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you'll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
@@ -166,13 +166,13 @@ Many users customize their settings for Windows and for specific applications. C
With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to.
-With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you'll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
## Microsoft Edge
-The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
+The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately. For more information, see [Download and configure Microsoft Edge for Business](https://www.microsoft.com/edge/business/download).
## See Also
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 99cf0f87aa..2221b4ab44 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -8,7 +8,7 @@ author: mestew
ms.localizationpriority: medium
ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 04/05/2023
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2019
---
@@ -17,8 +17,8 @@ appliesto:
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](overview.md).
->[!NOTE]
->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
+> [!NOTE]
+> Windows 10 Enterprise LTSC 2019 was first available on November 13, 2018. Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
@@ -30,11 +30,12 @@ Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding pr
The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
>[!IMPORTANT]
->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited.
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the general availability channel release of Windows 10 might be limited.
## Microsoft Intune
Microsoft Intune supports Windows 10 Enterprise LTSC 2019 with the following exception:
+
- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since Windows 10 LTSC versions don't receive feature updates. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2019 clients.
## Security
@@ -49,7 +50,7 @@ The [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/
##### Attack surface reduction
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders).
- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We've made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
@@ -74,7 +75,7 @@ But these protections can also be configured separately. And, unlike HVCI, code
Endpoint detection and response are improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
-Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
+Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
@@ -143,12 +144,7 @@ We've also added a new assessment for the Windows time service to the **Device p
We're continuing to work on how other security apps you've installed show up in the **Windows Security** app. There's a new page called **Security providers** that you can find in the **Settings** section of the app. Select **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers' apps or get more information on how to resolve issues reported to you through **Windows Security**.
-This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-
-You can read more about ransomware mitigations and detection capability at:
-
-- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Microsoft Malware Protection Center blog](https://www.microsoft.com/security/blog/category/research/ransomware/)
+This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks.
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
@@ -170,11 +166,11 @@ This release enables support for WIP with Files on Demand, allows file encryptio
### BitLocker
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup).
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/operating-system-security/data-protection/bitlocker/configure#bitlocker-policy-settings).
#### Silent enforcement on fixed drives
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (Azure AD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI.
+Through a modern device management (MDM) policy, BitLocker can be enabled silently for standard Microsoft Entra ID joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Entra ID users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI.
This change is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) and used by Intune and others.
@@ -192,7 +188,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
-Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
+Windows Hello for Business now supports FIDO 2.0 authentication for Entra ID-joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
- Windows Hello is now password-less on S-mode.
@@ -212,18 +208,18 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Entra ID-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
> Credential Guard is available only to S mode devices or Enterprise and Education Editions.
-For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations).
+For more information, see [Credential Guard overview](/windows/security/identity-protection/credential-guard/credential-guard-requirements).
### Other security improvements
#### Windows security baselines
-Microsoft has released new [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10).
+Microsoft has released new [Windows security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10).
#### SMBLoris vulnerability
@@ -250,9 +246,9 @@ A new security policy setting
#### Windows 10 in S mode
-We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows.":::
+:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows 10 Enterprise LTSC 2019.":::
## Deployment
@@ -295,7 +291,7 @@ It's also now possible to run a script if the user rolls back their version of W
`/PostRollback
-> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited.
+> Windows 10 Enterprise LTSC 2021 was first available on November 16, 2021. Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
+>
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the general availability channel release of Windows 10 might be limited.
Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
@@ -28,9 +29,9 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
## Lifecycle
> [!IMPORTANT]
-> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT Enterprise LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc) continues to have a [10 year lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle. ([IoT Enterprise LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc) continues to have a [10 year lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
-For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+For more information about the lifecycle for this release, see [The next Windows 10 long-term servicing channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
## Hardware security
@@ -52,7 +53,7 @@ There are already devices in the market today that offer SMM Firmware Protection
### Encryption and data protection
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+BitLocker and Mobile Device Management (MDM) with Microsoft Entra ID work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
### Network security
@@ -97,11 +98,12 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
### App isolation
-[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
#### Microsoft Defender Application Guard
-[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
+
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard's browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
@@ -119,10 +121,6 @@ Application Guard performance is improved with optimized document opening times:
- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle.
- The performance of Robocopy is improved when copying files over 400 MB in size.
-[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
-
-**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
-
### Application Control
[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added many new features that light up key scenarios and provide feature parity with AppLocker.
@@ -140,12 +138,12 @@ Windows Hello enhancements include:
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Microsoft Entra hybrid support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Microsoft Entra hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Entra ID.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Credential protection
@@ -155,26 +153,19 @@ Windows Hello enhancements include:
### Privacy controls
-[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+[Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
## Cloud Services
-### Microsoft Intune family of products
-
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
-
-### Configuration Manager
-
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-
-#### Microsoft Intune
+### Microsoft Intune
Microsoft Intune supports Windows 10 Enterprise LTSC 2021 with the following exception:
+
- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since Windows 10 LTSC versions don't receive feature updates. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2021 clients.
-A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/remote-actions/collect-diagnostics).
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status).
For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
@@ -189,7 +180,8 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
#### Key-rolling and Key-rotation
-This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+This release also includes two new features called key-rolling and key-rotation enables secure rolling of recovery passwords on MDM-managed Microsoft Entra ID devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
## Deployment
### SetupDiag
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index 122c8a1f8f..ba0ca795c1 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -73,5 +73,5 @@ The following features introduced through the monthly cumulative updates allow p
| The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start) **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
| Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
-| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) **Group Policies**: - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index f4005118e9..c593f3baae 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -9,18 +9,19 @@ ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 11/17/2023
---
# What's new in Windows 10, version 1903 for IT Pros
**Applies to**
-- Windows 10, version 1903
+- Windows 10, version 1903.
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
>[!NOTE]
->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
+>
+>New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don't meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
## Deployment
@@ -28,36 +29,36 @@ This article lists new and updated features and content that are of interest to
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in this version of Windows. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### SetupDiag
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the `rules.xml` file, which is extracted when SetupDiag is run. The `rules.xml` file are updated as new versions of SetupDiag are made available.
### Reserved storage
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327) sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage is enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It isn't enabled when updating from a previous version of Windows 10.
## Servicing
- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and lock their device in order to complete the update. This automatic sign-in ensures that when the user returns and unlocks the device, the update is completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users will now be able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to be updated before pausing again.
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in your taskbar.
+- **Intelligent active hours**: To further enhance active hours, users are now able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
## Security
### Windows Information Protection
-With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
+With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
### Security configuration framework
@@ -73,72 +74,75 @@ The draft release of the [security configuration baseline settings](/archive/blo
### Microsoft Defender for Endpoint
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls are extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+ - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
+ - Tamper-proofing capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality are extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-### Microsoft Defender for Endpoint next-gen protection technologies:
+### Microsoft Defender for Endpoint next-gen protection technologies
- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Emergency outbreak protection**: Provides emergency outbreak protection that automatically updates devices with new intelligence when a new outbreak is detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service is analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
### Threat Protection
- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
-- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+- [Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
-- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
+- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- To try this extension:
+ To try this extension:
1. Configure WDAG policies on your device.
2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
3. Follow any of the other configuration steps on the extension setup page.
4. Reboot the device.
5. Navigate to an untrusted site in Chrome and Firefox.
- - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users are automatically redirected to their host default browser when they enter or select on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
- This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
+ 1. Enforce and audit side-by-side.
+ 1. Simpler targeting for policies with different scope/intent.
+ 1. expanding a policy using a new supplemental policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files are checked for write permissions for unknown admins. If a file is found to be user writeable, the system blocks the executable from running unless it receives authorization from a source other than a path rule, such as a signer or hash rule.
+ - This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time. This capability isn't available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they'll be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner. Specifically, OS memory and secrets are protected from SMM.
-This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+This new feature is displayed under the Device Security page with the string `Your device exceeds the requirements for enhanced hardware security` if configured properly:
### Identity Protection
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Microsoft Entra ID.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Security management
-- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
-- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
+- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
+- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge
-Several new features are coming in the next version of Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
+Several new features are coming in the next version of Microsoft Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
## See Also
-[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
-[What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
+- [What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
+- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
+- [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what's new in Windows 10 hardware.
+- [What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index d40de13c9d..5ab89168fd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog.
>[!NOTE]
>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 3b134e5092..4f1f8db731 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -6,7 +6,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 8b06af0956..56b194f450 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
index a6c474e939..7a178b1852 100644
--- a/windows/whats-new/whats-new-windows-11-version-23h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -36,7 +36,7 @@ To learn more about the status of the update rollout, known issues, and new info
[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
-When a manged Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control:
+When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer be under temporary enterprise feature control:
| Feature | KB article where the feature was introduced |
|---|---|