From 5975969e35854afceb029c033ad88805898f0d6d Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 11 Aug 2022 14:28:18 -0400
Subject: [PATCH 1/9] Updated metadata for security/identity topics
---
.../access-control/access-control.md | 13 ++++++------
.../access-control/local-accounts.md | 18 ++++++++--------
.../identity-protection/configure-s-mime.md | 10 +++++----
.../additional-mitigations.md | 7 +++----
.../credential-guard-considerations.md | 19 ++++++++---------
.../credential-guard-how-it-works.md | 20 ++++++++----------
.../credential-guard-known-issues.md | 21 ++++++++-----------
.../credential-guard-manage.md | 21 ++++++++-----------
...redential-guard-not-protected-scenarios.md | 19 ++++++++---------
.../credential-guard-protection-limits.md | 20 ++++++++----------
.../credential-guard-requirements.md | 6 +++---
.../credential-guard-scripts.md | 8 +++----
.../credential-guard/credential-guard.md | 21 +++++++++----------
.../credential-guard/dg-readiness-tool.md | 20 ++++++++----------
.../enterprise-certificate-pinning.md | 13 ++++++------
.../hello-hybrid-key-trust-prereqs.md | 6 +++---
.../retired/hello-how-it-works.md | 7 +++----
windows/security/identity-protection/index.md | 11 ++++++----
.../password-support-policy.md | 7 +++----
.../remote-credential-guard.md | 13 ++++++------
.../smart-card-and-remote-desktop-services.md | 16 +++++++-------
.../smart-cards/smart-card-architecture.md | 15 +++++++------
...rt-card-certificate-propagation-service.md | 15 +++++++------
...ertificate-requirements-and-enumeration.md | 15 +++++++------
.../smart-card-debugging-information.md | 14 ++++++++-----
.../smart-cards/smart-card-events.md | 15 +++++++------
...card-group-policy-and-registry-settings.md | 15 +++++++------
...how-smart-card-sign-in-works-in-windows.md | 14 ++++++++-----
.../smart-card-removal-policy-service.md | 15 +++++++------
...rt-card-smart-cards-for-windows-service.md | 15 +++++++------
.../smart-card-tools-and-settings.md | 15 +++++++------
...-windows-smart-card-technical-reference.md | 15 +++++++------
.../how-user-account-control-works.md | 18 ++++++++--------
...-group-policy-and-registry-key-settings.md | 19 ++++++++---------
.../user-account-control-overview.md | 18 ++++++++--------
...ccount-control-security-policy-settings.md | 19 ++++++++---------
...l-smart-card-deploy-virtual-smart-cards.md | 10 +++++----
.../virtual-smart-card-evaluate-security.md | 12 +++++------
.../virtual-smart-card-get-started.md | 12 +++++------
.../virtual-smart-card-overview.md | 12 +++++------
.../virtual-smart-card-tpmvscmgr.md | 12 +++++------
...smart-card-understanding-and-evaluating.md | 12 +++++------
...tual-smart-card-use-virtual-smart-cards.md | 12 +++++------
...man-protocol-over-ikev2-vpn-connections.md | 10 +++++----
...n-on-sso-over-vpn-and-wi-fi-connections.md | 10 +++++----
.../vpn/vpn-authentication.md | 14 ++++++-------
.../vpn/vpn-auto-trigger-profile.md | 14 ++++++-------
.../vpn/vpn-conditional-access.md | 14 ++++++-------
.../vpn/vpn-connection-type.md | 14 ++++++-------
.../identity-protection/vpn/vpn-guide.md | 16 ++++++--------
.../vpn/vpn-name-resolution.md | 14 ++++++-------
.../vpn/vpn-office-365-optimization.md | 11 +++++-----
.../vpn/vpn-profile-options.md | 15 ++++++-------
.../identity-protection/vpn/vpn-routing.md | 15 ++++++-------
.../vpn/vpn-security-features.md | 15 ++++++-------
...dential-theft-mitigation-guide-abstract.md | 13 ++++++------
.../includes/improve-request-performance.md | 6 +++---
.../security/includes/machineactionsnote.md | 6 +++---
.../includes/microsoft-defender-api-usgov.md | 6 +++---
.../security/includes/microsoft-defender.md | 5 +++--
windows/security/includes/prerelease.md | 6 +++---
61 files changed, 411 insertions(+), 408 deletions(-)
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 2dfc4dc841..737ce1fe9d 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -2,23 +2,22 @@
title: Access Control Overview (Windows 10)
description: Access Control Overview
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/18/2017
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Access Control Overview
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
## Feature description
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index b6149dcddb..968204b78c 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,25 +2,25 @@
title: Local Accounts (Windows 10)
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 06/17/2022
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Local Accounts
-**Applies to**
-- Windows 11
-- Windows 10
-- Windows Server 2019
-- Windows Server 2016
-
This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server.
## About local user accounts
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 9184e9a43d..0f0491d86e 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,15 +1,17 @@
---
title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.reviewer:
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 5be4c34c1e..96948106f5 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -3,13 +3,12 @@ title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
-ms.reviewer:
---
# Additional mitigations
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 7b1cc141be..ef55b58405 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -3,23 +3,22 @@ title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/31/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Considerations when using Windows Defender Credential Guard
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 787063e450..c4d2fb93fc 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -3,24 +3,22 @@ title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# How Windows Defender Credential Guard works
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
-
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index b76dd3d133..f5ff5f5443 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -3,24 +3,21 @@ title: Windows Defender Credential Guard - Known issues (Windows)
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 01/26/2022
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
-
# Windows Defender Credential Guard: Known issues
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index a2392e3e3c..edf3023808 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -3,9 +3,9 @@ title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: v-tappelgate
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
@@ -13,17 +13,14 @@ ms.topic: article
ms.custom:
- CI 120967
- CSSTroubleshooting
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
-
# Manage Windows Defender Credential Guard
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-- Windows Server 2022
-
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index fba979bcbb..d555458c2e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -3,23 +3,22 @@ title: Windows Defender Credential Guard protection limits & mitigations (Window
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Credential Guard protection limits and mitigations
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Windows Defender Credential Guard video series.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 1b47f91c82..6b5833f449 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -3,23 +3,21 @@ title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
-
# Windows Defender Credential Guard protection limits
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index cd0217dffe..369d82abff 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -3,9 +3,9 @@ title: Windows Defender Credential Guard Requirements (Windows)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index ac96f2cc37..f558fe1db3 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -3,18 +3,16 @@ title: Scripts for Certificate Issuance Policies in Windows Defender Credential
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
-ms.reviewer:
---
# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
-
Here is a list of scripts mentioned in this topic.
## Get the available issuance policies on the certificate authority
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 08cb1d98b8..69edd2b832 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,28 +1,27 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.reviewer:
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.date: 03/10/2022
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Protect derived domain credentials with Windows Defender Credential Guard
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
-Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
+Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index 1128ef5604..ad49319415 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -3,23 +3,21 @@ title: Windows Defender Device Guard and Windows Defender Credential Guard hardw
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: m365-security
ms.localizationpriority: medium
-author: SteveSyfuhs
-ms.author: stsyfuhs
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
-**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-- Windows Server 2022
-
```powershell
# Script to find out if a machine is Device Guard compliant.
# The script requires a driver verifier present on the system.
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index bba1605784..62ef573756 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,23 +1,22 @@
---
title: Enterprise Certificate Pinning
description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
-author: dulcemontemayor
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: m365-security
ms.technology: windows-sec
ms.localizationpriority: medium
ms.date: 07/27/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Enterprise Certificate Pinning
-**Applies to**
-- Windows 10
-
Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name.
Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 66fae5f56b..f5f0966e5a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -2,9 +2,9 @@
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
ms.prod: m365-security
-author: mapalko
-ms.author: prsriva
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index b703e6ea15..d594821d9b 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -2,12 +2,11 @@
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
-author: mapalko
ms.localizationpriority: high
-ms.author: mapalko
+author: paolomatarazzo
+ms.author: paoloma
ms.date: 10/16/2017
-ms.reviewer:
-manager: dansimp
+manager: aaroncz
ms.topic: article
appliesto:
- ✅ Windows 10
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index 330cc0041d..ee523e79f7 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -2,18 +2,21 @@
title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 02/05/2018
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Identity and access management
-Learn more about identity and access management technologies in Windows 10.
+Learn more about identity and access management technologies in Windows 10 and Windows 11.
| Section | Description |
|-|-|
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index 5cc29b63a0..a48a887b72 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -1,16 +1,15 @@
---
title: Technical support policy for lost or forgotten passwords
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
-ms.reviewer: kaushika
-manager: kaushika
ms.custom:
- CI ID 110060
- CSSTroubleshoot
-ms.author: v-tappelgate
ms.prod: m365-security
-author: Teresa-Motiv
ms.topic: article
ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.date: 11/20/2019
---
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index a477d48218..4d160b97b2 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,22 +2,21 @@
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 01/12/2018
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 101b50087d..01a9565fbd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,20 +2,22 @@
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
-
# Smart Card and Remote Desktop Services
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index ddc63b2e02..1a2c2875f0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,20 +2,23 @@
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Architecture
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index ad0699cf6a..c326bf52c9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,20 +2,23 @@
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 08/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Certificate Propagation Service
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 701f3dccd8..011e339a2d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,20 +2,23 @@
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Certificate Requirements and Enumeration
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
When a smart card is inserted, the following steps are performed.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 50881d1ef8..6d5062261a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -2,21 +2,25 @@
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Troubleshooting
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 9585fdfb5e..b9d9f10aba 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,20 +2,23 @@
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Events
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 897140b630..bc23010ac3 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,20 +2,23 @@
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/02/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Group Policy and Registry Settings
-Applies to: Windows 10, Windows 11, Windows Server 2016 and above
-
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 9fb023c25f..940e972066 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,21 +2,25 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# How Smart Card Sign-in Works in Windows
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 5757f75aa1..099bd5dd51 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,20 +2,23 @@
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Removal Policy Service
-Applies To: Windows 10, Windows 11, Windows Server 2016
-
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 0345ccac67..af406d75ce 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,20 +2,23 @@
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Cards for Windows Service
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://pcscworkgroup.com/).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index a7c1c2bfa4..db7acbd3e9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,20 +2,23 @@
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Tools and Settings
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
This section of the Smart Card Technical Reference contains information about the following:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 7f577b80dd..252b91210c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,20 +2,23 @@
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Smart Card Technical Reference
-Applies To: Windows 10, Windows 11, Windows Server 2016 and above
-
The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
## Audience
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index ded2f140d2..29544db1a4 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -1,26 +1,26 @@
---
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.reviewer:
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/23/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# How User Account Control works
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
## UAC process and interactions
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index eb97277ed7..380668df8b 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -2,25 +2,24 @@
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# User Account Control Group Policy and registry key settings
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
## Group Policy settings
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 2e12c5d66e..bfb4495923 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -1,26 +1,26 @@
---
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
-ms.reviewer:
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.date: 09/24/2011
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# User Account Control
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index d5a71d6a7b..dc327b438c 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,27 +1,26 @@
---
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
-ms.reviewer:
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# User Account Control security policy settings
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
## User Account Control: Admin Approval Mode for the Built-in Administrator account
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index a6b311b8f1..763ba1f346 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,14 +2,16 @@
title: Deploy Virtual Smart Cards (Windows 10)
description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Deploy Virtual Smart Cards
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index cb90ff6746..703582c5a0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -2,20 +2,20 @@
title: Evaluate Virtual Smart Card Security (Windows 10)
description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Evaluate Virtual Smart Card Security
-Applies To: Windows 10, Windows Server 2016
-
This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
## Virtual smart card non-exportability details
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index a1371cb4aa..92cdfe8cdc 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -2,20 +2,20 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
-Applies To: Windows 10, Windows Server 2016
-
This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index f81458d9ea..7d92df7bd0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -2,20 +2,20 @@
title: Virtual Smart Card Overview (Windows 10)
description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 10/13/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Virtual Smart Card Overview
-Applies To: Windows 10, Windows Server 2016
-
This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards.
**Did you mean…**
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index e6674037f9..37b59cb998 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -2,20 +2,20 @@
title: Tpmvscmgr (Windows 10)
description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Tpmvscmgr
-Applies To: Windows 10, Windows Server 2016
-
The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples).
## Syntax
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 49bd1fbfff..077d990d63 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -2,20 +2,20 @@
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Understanding and Evaluating Virtual Smart Cards
-Applies To: Windows 10, Windows Server 2016
-
This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 3d09432ada..6cb4ac6fc7 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -2,20 +2,20 @@
title: Use Virtual Smart Cards (Windows 10)
description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/13/2017
-ms.reviewer:
+appliesto:
+- ✅ Windows 10
+- ✅ Windows Server 2016
---
# Use Virtual Smart Cards
-Applies To: Windows 10, Windows Server 2016
-
This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
## Requirements, restrictions, and limitations
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 647e58e84b..1901da61e7 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -2,12 +2,14 @@
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
ms.localizationpriority: medium
ms.date: 09/23/2021
-ms.reviewer:
-manager: dansimp
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 317751d40d..805b9b43ba 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -2,11 +2,13 @@
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.date: 03/22/2022
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 65de4f3780..0338261376 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -2,20 +2,18 @@
title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN authentication options
-**Applies to**
-- Windows 10
-- Windows 11
-
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 8b3e2dbebd..10acdcc913 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -2,20 +2,18 @@
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN auto-triggered profile options
-**Applies to**
-- Windows 10
-- Windows 11
-
In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- App trigger
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 0912af9374..dd2aca3c01 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -2,22 +2,22 @@
title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.reviewer:
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.localizationpriority: medium
ms.date: 09/23/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN and conditional access
->Applies to: Windows 10 and Windows 11
-
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
>[!NOTE]
->Conditional Access is an Azure AD Premium feature.
+>Conditional Access is an Azure AD Premium feature.
Conditional Access Platform components used for Device Compliance include the following cloud-based services:
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 75b93889b6..9c2c579ad8 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -2,20 +2,18 @@
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 08/23/2021
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN connection types
-**Applies to**
-- Windows 10
-- Windows 11
-
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 58fa8e9068..5b9eb1f2a9 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -2,22 +2,18 @@
title: Windows VPN technical guide (Windows 10 and Windows 11)
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 02/21/2022
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows VPN technical guide
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11.
To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10).
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index fe3269e28b..bb3883d726 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -2,20 +2,18 @@
title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN name resolution
-**Applies to**
-- Windows 10
-- Windows 11
-
When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces.
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index 2022a4e863..69fb215d6e 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -3,14 +3,15 @@ title: Optimizing Office 365 traffic for remote workers with the native Windows
description: tbd
ms.prod: m365-security
ms.topic: article
-author: kelleyvice-msft
ms.localizationpriority: medium
ms.date: 09/23/2021
-ms.reviewer:
-manager: dansimp
-ms.author: jajo
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
-
# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index b0cd4195ee..4649674d84 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,22 +1,19 @@
---
title: VPN profile options (Windows 10 and Windows 11)
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.reviewer:
-manager: dansimp
+manager: aaroncz
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
ms.localizationpriority: medium
ms.date: 05/17/2018
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN profile options
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE]
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 291f5adaf9..2554d7de31 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -2,20 +2,17 @@
title: VPN routing decisions (Windows 10 and Windows 10)
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
-
# VPN routing decisions
-**Applies to**
-- Windows 10
-- Windows 11
-
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
## Split tunnel configuration
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 34d9f772e4..fffcd2a99e 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -2,21 +2,18 @@
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: m365-security
-author: dansimp
+author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 07/21/2022
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: aaroncz
+ms.author: paolomatarazzo
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# VPN security features
-**Applies to**
-- Windows 10
-- Windows 11
-
-
## Hyper-V based containers and VPN
Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues.
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index abe5fd0462..ced8857c84 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -1,22 +1,21 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
-ms.reviewer:
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
---
# Windows Credential Theft Mitigation Guide Abstract
-**Applies to**
-- Windows 10
-
This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index 89b07558ea..24aaa25d9f 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -3,12 +3,12 @@ title: Improve request performance
description: Improve request performance
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.author: macapara
-author: mjcaparas
ms.localizationpriority: medium
-manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
---
>[!TIP]
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
index 5d784c2abe..31e3d1ac98 100644
--- a/windows/security/includes/machineactionsnote.md
+++ b/windows/security/includes/machineactionsnote.md
@@ -3,9 +3,9 @@ title: Perform a Machine Action via the Microsoft Defender for Endpoint API
description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API.
ms.date: 08/28/2017
ms.reviewer:
-manager: dansimp
-ms.author: macapara
-author: mjcaparas
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.prod: m365-security
---
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
index 288e5a9769..74cfd90cbb 100644
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ b/windows/security/includes/microsoft-defender-api-usgov.md
@@ -3,10 +3,10 @@ title: Microsoft Defender for Endpoint API URIs for US Government
description: Microsoft Defender for Endpoint API URIs for US Government
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.author: macapara
-author: mjcaparas
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.localizationpriority: medium
-manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
index f3a6cb666b..2bca659e04 100644
--- a/windows/security/includes/microsoft-defender.md
+++ b/windows/security/includes/microsoft-defender.md
@@ -4,8 +4,9 @@ description: A note in regard to important Microsoft 365 Defender guidance.
ms.date:
ms.reviewer:
manager: dansimp
-ms.author: dansimp
-author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.prod: m365-security
ms.topic: include
---
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
index bced58da9f..58b056c484 100644
--- a/windows/security/includes/prerelease.md
+++ b/windows/security/includes/prerelease.md
@@ -3,9 +3,9 @@ title: Microsoft Defender for Endpoint Pre-release Disclaimer
description: Disclaimer for pre-release version of Microsoft Defender for Endpoint.
ms.date: 08/28/2017
ms.reviewer:
-manager: dansimp
-ms.author: macapara
-author: mjcaparas
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.prod: m365-security
---
From 262933005c345c8b9086d4808f6090c9ac9c3143 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 11 Aug 2022 14:35:37 -0400
Subject: [PATCH 2/9] updated ms.author
---
...-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 2 +-
windows/security/identity-protection/vpn/vpn-authentication.md | 2 +-
.../identity-protection/vpn/vpn-auto-trigger-profile.md | 2 +-
windows/security/identity-protection/vpn/vpn-connection-type.md | 2 +-
windows/security/identity-protection/vpn/vpn-guide.md | 2 +-
windows/security/identity-protection/vpn/vpn-name-resolution.md | 2 +-
windows/security/identity-protection/vpn/vpn-routing.md | 2 +-
.../security/identity-protection/vpn/vpn-security-features.md | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 805b9b43ba..b39288074a 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -5,7 +5,7 @@ ms.prod: m365-security
author: paolomatarazzo
ms.date: 03/22/2022
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 0338261376..0e91037be0 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 10acdcc913..8bce8aa587 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 9c2c579ad8..79f6dc03ba 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 08/23/2021
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 5b9eb1f2a9..8f00d44c28 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 02/21/2022
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index bb3883d726..2641d9d46b 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 2554d7de31..c6199b9c5a 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index fffcd2a99e..fc8ddfa631 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -6,7 +6,7 @@ author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 07/21/2022
manager: aaroncz
-ms.author: paolomatarazzo
+ms.author: paoloma
appliesto:
- ✅ Windows 10
- ✅ Windows 11
From 22cabb2d38f41e67e59e4ba27c32093cf66af11f Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 11 Aug 2022 14:50:35 -0400
Subject: [PATCH 3/9] update
---
.../credential-guard-requirements.md | 13 +++---
.../smart-cards/smart-card-events.md | 44 ++++++++-----------
2 files changed, 24 insertions(+), 33 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 369d82abff..5786294325 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -11,17 +11,16 @@ ms.collection:
- highpri
ms.topic: article
ms.date: 12/27/2021
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Credential Guard: Requirements
-## Applies to
-
-- Windows 11
-- Windows 10
-- Windows Server 2019
-- Windows Server 2016
-
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index b9d9f10aba..04bdfa4a40 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -23,33 +23,25 @@ This topic for the IT professional and smart card developer describes events tha
A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization.
-- [Smart card reader name](#smart-card-reader-name)
-
-- [Smart card warning events](#smart-card-warning-events)
-
-- [Smart card error events](#smart-card-error-events)
-
-- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
-
+- [Smart card reader name](#smart-card-reader-name)
+- [Smart card warning events](#smart-card-warning-events)
+- [Smart card error events](#smart-card-error-events)
+- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
## Smart card reader name
-The Smart Card resource manager does not use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
+The Smart Card resource manager doesn't use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
The following three attributes are used to construct the smart card reader name:
-- Vendor name
-
-- Interface device type
-
-- Device unit
+- Vendor name
+- Interface device type
+- Device unit
The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information:
-- Vendor name: Contoso
-
-- Interface device type: Smart Card Reader
-
-- Device unit: 0
+- Vendor name: Contoso
+- Interface device type: Smart Card Reader
+- Device unit: 0
## Smart card warning events
@@ -57,8 +49,8 @@ The smart card reader device name is constructed in the form <*VendorName*>
| **Event ID** | **Warning Message** | **Description** |
|--------------|---------|--------------------------------------------------------------------------------------------|
-| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
-| 619 | Smart Card Reader '%2' has not responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader has not responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader does not respond for 150 seconds. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card |
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
+| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card |
## Smart card error events
@@ -70,7 +62,7 @@ The smart card reader device name is constructed in the form <*VendorName*>
| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
%1 = Name of the smart card reader that is duplicated |
| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
-| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. |
+| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
| 504 | Resource Manager cannot create shutdown event flag: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 506 | Smart Card Resource Manager failed to register service: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
@@ -98,10 +90,10 @@ The smart card reader device name is constructed in the form <*VendorName*>
| 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
-| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
-| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
-| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
+| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code |
+| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name |
+| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name |
| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. |
| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code |
From 83af9d7a4290d5fd5badb3de4db290db79177973 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 11 Aug 2022 15:14:23 -0400
Subject: [PATCH 4/9] updated reviewers
---
.../identity-protection/access-control/access-control.md | 1 +
.../identity-protection/access-control/local-accounts.md | 1 +
.../credential-guard/additional-mitigations.md | 1 +
.../credential-guard/credential-guard-considerations.md | 1 +
.../credential-guard/credential-guard-how-it-works.md | 1 +
.../credential-guard/credential-guard-known-issues.md | 1 +
.../credential-guard/credential-guard-manage.md | 1 +
.../credential-guard/credential-guard-not-protected-scenarios.md | 1 +
.../credential-guard/credential-guard-protection-limits.md | 1 +
.../credential-guard/credential-guard-requirements.md | 1 +
.../credential-guard/credential-guard-scripts.md | 1 +
.../identity-protection/credential-guard/credential-guard.md | 1 +
.../identity-protection/credential-guard/dg-readiness-tool.md | 1 +
.../smart-cards/smart-card-and-remote-desktop-services.md | 1 +
.../identity-protection/smart-cards/smart-card-architecture.md | 1 +
.../smart-cards/smart-card-certificate-propagation-service.md | 1 +
.../smart-card-certificate-requirements-and-enumeration.md | 1 +
.../smart-cards/smart-card-debugging-information.md | 1 +
.../identity-protection/smart-cards/smart-card-events.md | 1 +
.../smart-cards/smart-card-group-policy-and-registry-settings.md | 1 +
.../smart-card-how-smart-card-sign-in-works-in-windows.md | 1 +
.../smart-cards/smart-card-removal-policy-service.md | 1 +
.../smart-cards/smart-card-smart-cards-for-windows-service.md | 1 +
.../smart-cards/smart-card-tools-and-settings.md | 1 +
.../smart-card-windows-smart-card-technical-reference.md | 1 +
.../user-account-control/how-user-account-control-works.md | 1 +
...ser-account-control-group-policy-and-registry-key-settings.md | 1 +
.../user-account-control/user-account-control-overview.md | 1 +
.../user-account-control-security-policy-settings.md | 1 +
...nfigure-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 1 +
...w-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 1 +
windows/security/identity-protection/vpn/vpn-authentication.md | 1 +
.../security/identity-protection/vpn/vpn-auto-trigger-profile.md | 1 +
.../security/identity-protection/vpn/vpn-conditional-access.md | 1 +
windows/security/identity-protection/vpn/vpn-connection-type.md | 1 +
windows/security/identity-protection/vpn/vpn-guide.md | 1 +
windows/security/identity-protection/vpn/vpn-name-resolution.md | 1 +
.../identity-protection/vpn/vpn-office-365-optimization.md | 1 +
windows/security/identity-protection/vpn/vpn-profile-options.md | 1 +
windows/security/identity-protection/vpn/vpn-routing.md | 1 +
.../security/identity-protection/vpn/vpn-security-features.md | 1 +
41 files changed, 41 insertions(+)
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 737ce1fe9d..3463887878 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -4,6 +4,7 @@ description: Access Control Overview
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 968204b78c..854d62c172 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 96948106f5..ed33a72d92 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index ef55b58405..31fb780b79 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index c4d2fb93fc..b48fb5bbb3 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index f5ff5f5443..e190e70c49 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index edf3023808..1b61031be8 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index d555458c2e..55a98fdb3e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 6b5833f449..ba9aa464db 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 5786294325..e4d7f90a39 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index f558fe1db3..d235f8a2dc 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 69edd2b832..db31018523 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index ad49319415..603dcc1d9c 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 01a9565fbd..6281288b7d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional describes the behavior of Remote
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 1a2c2875f0..d6f114f368 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional describes the system architectur
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index c326bf52c9..ef2c516483 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional describes the certificate propag
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 011e339a2d..df7c9505b6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional and smart card developers descri
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 6d5062261a..7f0143c568 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -4,6 +4,7 @@ description: Describes the tools and services that smart card developers can use
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 04bdfa4a40..2f1430846f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional and smart card developer describ
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index bc23010ac3..9929ee2bff 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -4,6 +4,7 @@ description: Discover the Group Policy, registry key, local security policy, and
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 940e972066..4019c75ad2 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -4,6 +4,7 @@ description: This topic for IT professional provides links to resources about th
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 099bd5dd51..6c0a8e06e8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional describes the role of the remova
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index af406d75ce..4acfbe37c2 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional and smart card developers descri
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index db7acbd3e9..faab6d1c50 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -4,6 +4,7 @@ description: This topic for the IT professional and smart card developer links t
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 252b91210c..7899c14e50 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -4,6 +4,7 @@ description: Learn about the Windows smart card infrastructure for physical smar
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 29544db1a4..42aca41a0a 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -4,6 +4,7 @@ description: User Account Control (UAC) is a fundamental component of Microsoft'
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 380668df8b..e54d14dafe 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -4,6 +4,7 @@ description: Here's a list of UAC Group Policy and registry key settings that y
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index bfb4495923..e9b562bbe0 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -5,6 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index dc327b438c..cacda816c0 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -4,6 +4,7 @@ description: You can use security policies to configure how User Account Control
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 1901da61e7..0e77c5aca8 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -7,6 +7,7 @@ ms.author: paoloma
ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index b39288074a..58e9851817 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -6,6 +6,7 @@ author: paolomatarazzo
ms.date: 03/22/2022
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 0e91037be0..3434542f7b 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 8bce8aa587..2cef6b0692 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index dd2aca3c01..e33c303053 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -4,6 +4,7 @@ description: Learn how to integrate the VPN client with the Conditional Access P
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: pesmith
manager: aaroncz
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 79f6dc03ba..96e77511ad 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 08/23/2021
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 8f00d44c28..c235596b5c 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 02/21/2022
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 2641d9d46b..d91442912d 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index 69fb215d6e..c54c8c05a4 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -8,6 +8,7 @@ ms.date: 09/23/2021
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 4649674d84..c6a1f32a1b 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -5,6 +5,7 @@ manager: aaroncz
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
+ms.reviewer: pesmith
ms.localizationpriority: medium
ms.date: 05/17/2018
appliesto:
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index c6199b9c5a..2fdcf08d5b 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 09/23/2021
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index fc8ddfa631..31e2845099 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.date: 07/21/2022
manager: aaroncz
ms.author: paoloma
+ms.reviewer: pesmith
appliesto:
- ✅ Windows 10
- ✅ Windows 11
From c5a3b7d7bb9bab5ee06d97519e94d1a492ccc449 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 11 Aug 2022 16:13:00 -0400
Subject: [PATCH 5/9] Updated firewall articles metadata
---
...ices-to-the-membership-group-for-a-zone.md | 18 +++++++++--------
...ices-to-the-membership-group-for-a-zone.md | 18 +++++++++--------
...e-files-for-settings-used-in-this-guide.md | 18 +++++++++--------
...ssign-security-group-filters-to-the-gpo.md | 18 +++++++++--------
.../basic-firewall-policy-design.md | 18 +++++++++--------
.../best-practices-configuring.md | 12 ++++++++---
.../windows-firewall/boundary-zone-gpos.md | 18 +++++++++--------
.../windows-firewall/boundary-zone.md | 20 ++++++++++---------
...e-based-isolation-policy-design-example.md | 18 +++++++++--------
...rtificate-based-isolation-policy-design.md | 18 +++++++++--------
...ange-rules-from-request-to-require-mode.md | 18 +++++++++--------
...ist-configuring-basic-firewall-settings.md | 18 +++++++++--------
...uring-rules-for-an-isolated-server-zone.md | 18 +++++++++--------
...rs-in-a-standalone-isolated-server-zone.md | 18 +++++++++--------
...configuring-rules-for-the-boundary-zone.md | 18 +++++++++--------
...nfiguring-rules-for-the-encryption-zone.md | 18 +++++++++--------
...nfiguring-rules-for-the-isolated-domain.md | 18 +++++++++--------
...checklist-creating-group-policy-objects.md | 18 +++++++++--------
...ecklist-creating-inbound-firewall-rules.md | 18 +++++++++--------
...cklist-creating-outbound-firewall-rules.md | 18 +++++++++--------
...ts-of-a-standalone-isolated-server-zone.md | 18 +++++++++--------
...ementing-a-basic-firewall-policy-design.md | 18 +++++++++--------
...rtificate-based-isolation-policy-design.md | 18 +++++++++--------
...enting-a-domain-isolation-policy-design.md | 18 +++++++++--------
...andalone-server-isolation-policy-design.md | 18 +++++++++--------
.../configure-authentication-methods.md | 18 +++++++++--------
...ure-data-protection-quick-mode-settings.md | 18 +++++++++--------
...y-to-autoenroll-and-deploy-certificates.md | 18 +++++++++--------
...nfigure-key-exchange-main-mode-settings.md | 18 +++++++++--------
...nfigure-the-rules-to-require-encryption.md | 14 +++++++++----
.../configure-the-windows-firewall-log.md | 18 +++++++++--------
...ion-authentication-certificate-template.md | 18 +++++++++--------
...notifications-when-a-program-is-blocked.md | 18 +++++++++--------
...hat-certificates-are-deployed-correctly.md | 18 +++++++++--------
.../copy-a-gpo-to-create-a-new-gpo.md | 18 +++++++++--------
...ate-a-group-account-in-active-directory.md | 18 +++++++++--------
.../create-a-group-policy-object.md | 18 +++++++++--------
...e-an-authentication-exemption-list-rule.md | 18 +++++++++--------
.../create-an-authentication-request-rule.md | 14 +++++++++----
.../create-an-inbound-icmp-rule.md | 18 +++++++++--------
.../create-an-inbound-port-rule.md | 18 +++++++++--------
...eate-an-inbound-program-or-service-rule.md | 18 +++++++++--------
.../create-an-outbound-port-rule.md | 18 +++++++++--------
...ate-an-outbound-program-or-service-rule.md | 18 +++++++++--------
.../create-inbound-rules-to-support-rpc.md | 18 +++++++++--------
...create-windows-firewall-rules-in-intune.md | 18 +++++++++--------
.../create-wmi-filters-for-the-gpo.md | 18 +++++++++--------
...irewall-with-advanced-security-strategy.md | 18 +++++++++--------
...ining-the-trusted-state-of-your-devices.md | 18 +++++++++--------
.../windows-firewall/documenting-the-zones.md | 18 +++++++++--------
.../domain-isolation-policy-design-example.md | 18 +++++++++--------
.../domain-isolation-policy-design.md | 18 +++++++++--------
.../enable-predefined-inbound-rules.md | 18 +++++++++--------
.../enable-predefined-outbound-rules.md | 18 +++++++++--------
.../windows-firewall/encryption-zone-gpos.md | 18 +++++++++--------
.../windows-firewall/encryption-zone.md | 18 +++++++++--------
...-with-advanced-security-design-examples.md | 18 +++++++++--------
.../exempt-icmp-from-authentication.md | 18 +++++++++--------
.../windows-firewall/exemption-list.md | 18 +++++++++--------
.../filter-origin-documentation.md | 14 +++++++++----
.../windows-firewall/firewall-gpos.md | 18 +++++++++--------
.../firewall-policy-design-example.md | 18 +++++++++--------
.../firewall-settings-lost-on-upgrade.md | 14 +++++++++----
...-about-your-active-directory-deployment.md | 18 +++++++++--------
...out-your-current-network-infrastructure.md | 18 +++++++++--------
...athering-information-about-your-devices.md | 18 +++++++++--------
.../gathering-other-relevant-information.md | 18 +++++++++--------
.../gathering-the-information-you-need.md | 18 +++++++++--------
.../windows-firewall/gpo-domiso-boundary.md | 18 +++++++++--------
.../windows-firewall/gpo-domiso-encryption.md | 14 +++++++++----
.../windows-firewall/gpo-domiso-firewall.md | 18 +++++++++--------
.../gpo-domiso-isolateddomain-clients.md | 18 +++++++++--------
.../gpo-domiso-isolateddomain-servers.md | 18 +++++++++--------
...with-advanced-security-deployment-goals.md | 18 +++++++++--------
...wall-with-advanced-security-design-plan.md | 18 +++++++++--------
.../windows-firewall/isolated-domain-gpos.md | 18 +++++++++--------
.../windows-firewall/isolated-domain.md | 14 +++++++++----
.../isolating-apps-on-your-network.md | 18 +++++++++--------
.../link-the-gpo-to-the-domain.md | 18 +++++++++--------
...-firewall-with-advanced-security-design.md | 18 +++++++++--------
...-a-different-zone-or-version-of-windows.md | 18 +++++++++--------
...agement-console-to-ip-security-policies.md | 18 +++++++++--------
...windows-firewall-with-advanced-security.md | 18 +++++++++--------
...-management-console-to-windows-firewall.md | 18 +++++++++--------
...windows-firewall-with-advanced-security.md | 18 +++++++++--------
...anning-certificate-based-authentication.md | 18 +++++++++--------
.../planning-domain-isolation-zones.md | 18 +++++++++--------
.../planning-gpo-deployment.md | 18 +++++++++--------
...icy-deployment-for-your-isolation-zones.md | 18 +++++++++--------
...planning-isolation-groups-for-the-zones.md | 18 +++++++++--------
.../planning-network-access-groups.md | 18 +++++++++--------
.../planning-server-isolation-zones.md | 18 +++++++++--------
...ng-settings-for-a-basic-firewall-policy.md | 18 +++++++++--------
.../windows-firewall/planning-the-gpos.md | 18 +++++++++--------
...windows-firewall-with-advanced-security.md | 18 +++++++++--------
...-firewall-with-advanced-security-design.md | 18 +++++++++--------
.../procedures-used-in-this-guide.md | 18 +++++++++--------
...t-devices-from-unwanted-network-traffic.md | 18 +++++++++--------
.../windows-firewall/quarantine.md | 14 +++++++++----
...n-accessing-sensitive-network-resources.md | 18 +++++++++--------
...cess-to-only-specified-users-or-devices.md | 18 +++++++++--------
...restrict-access-to-only-trusted-devices.md | 18 +++++++++--------
...erver-access-to-members-of-a-group-only.md | 18 +++++++++--------
...to-end-ipsec-connections-by-using-ikev2.md | 18 +++++++++--------
.../windows-firewall/server-isolation-gpos.md | 18 +++++++++--------
.../server-isolation-policy-design-example.md | 18 +++++++++--------
.../server-isolation-policy-design.md | 18 +++++++++--------
.../troubleshooting-uwp-firewall.md | 14 +++++++++----
...firewall-and-configure-default-behavior.md | 18 +++++++++--------
...l-with-advanced-security-design-process.md | 14 +++++++++----
...y-that-network-traffic-is-authenticated.md | 18 +++++++++--------
...-administration-with-windows-powershell.md | 18 +++++++++--------
...with-advanced-security-deployment-guide.md | 18 +++++++++--------
...all-with-advanced-security-design-guide.md | 18 +++++++++--------
...windows-firewall-with-advanced-security.md | 18 +++++++++--------
115 files changed, 1150 insertions(+), 880 deletions(-)
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index 669d4ede86..b663f72d19 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -2,28 +2,30 @@
title: Add Production Devices to the Membership Group for a Zone (Windows)
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Add Production Devices to the Membership Group for a Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index 15f91730ba..9f5d3bac7c 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -2,28 +2,30 @@
title: Add Test Devices to the Membership Group for a Zone (Windows)
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Add Test Devices to the Membership Group for a Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 1a7d5dd07e..180ebf61e7 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -2,28 +2,30 @@
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 221490f2e9..88a28959fc 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -2,28 +2,30 @@
title: Assign Security Group Filters to the GPO (Windows)
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Assign Security Group Filters to the GPO
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index b2dfe86d3b..68b7ae50a0 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -2,27 +2,29 @@
title: Basic Firewall Policy Design (Windows)
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Basic Firewall Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization.
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index d71e89f983..db778a73a8 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -6,14 +6,20 @@ ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: maccruz
-author: schmurky
+ms.author: paoloma
+author: paolomatarazzo
ms.localizationpriority: medium
-manager: dansimp
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Best practices for configuring Windows Defender Firewall
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 10fa58f666..77da6ba1be 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -2,28 +2,30 @@
title: Boundary Zone GPOs (Windows)
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Boundary Zone GPOs
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 11d52f96fe..d8077459ac 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -2,28 +2,30 @@
title: Boundary Zone (Windows)
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Boundary Zone
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+
In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 17c7175cd6..02c88fdfb7 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -2,28 +2,30 @@
title: Certificate-based Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Certificate-based Isolation Policy Design Example
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index e61836e9ce..c21f3ae251 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -2,28 +2,30 @@
title: Certificate-based Isolation Policy Design (Windows)
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Certificate-based isolation policy design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 88550f7f67..effdd2a70c 100644
--- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -2,28 +2,30 @@
title: Change Rules from Request to Require Mode (Windows)
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Change Rules from Request to Require Mode
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index 18558ef571..d3356b14f3 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -2,28 +2,30 @@
title: Checklist Configuring Basic Firewall Settings (Windows)
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Configuring Basic Firewall Settings
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 36fe34357d..176d8f4536 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -2,28 +2,30 @@
title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Configuring Rules for an Isolated Server Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index db9e5235c2..e546b37adf 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -2,28 +2,30 @@
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index 7e7fc7b158..55e7e19754 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Boundary Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Configuring Rules for the Boundary Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 1d42ae70b6..5d0a18a69f 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Encryption Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Configuring Rules for the Encryption Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 4f86220ff8..648850a336 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Isolated Domain (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Configuring Rules for the Isolated Domain
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 373174d887..6168d455d3 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -2,28 +2,30 @@
title: Checklist Creating Group Policy Objects (Windows)
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Creating Group Policy Objects
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index cb5f132795..57a25a4b6c 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -2,28 +2,30 @@
title: Checklist Creating Inbound Firewall Rules (Windows)
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Creating Inbound Firewall Rules
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist includes tasks for creating firewall rules in your GPOs.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index cc6976169c..879c1a55b6 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -2,28 +2,30 @@
title: Checklist Creating Outbound Firewall Rules (Windows)
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Creating Outbound Firewall Rules
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist includes tasks for creating outbound firewall rules in your GPOs.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index b6369d7c01..9094725eda 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -2,28 +2,30 @@
title: Create Rules for Standalone Isolated Server Zone Clients (Windows)
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index c9c577bc2e..6a5f00771e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -2,28 +2,30 @@
title: Checklist Implementing a Basic Firewall Policy Design (Windows)
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Implementing a Basic Firewall Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 5d59df9ccd..ce48d49c77 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -2,28 +2,30 @@
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows)
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Implementing a Certificate-based Isolation Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 6a6f01d952..6061bc86b5 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -2,28 +2,30 @@
title: Checklist Implementing a Domain Isolation Policy Design (Windows)
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Implementing a Domain Isolation Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index c484d2eec0..87364021d1 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -2,28 +2,30 @@
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Checklist: Implementing a Standalone Server Isolation Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index b16b7adc8a..7f45ce6466 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -2,28 +2,30 @@
title: Configure Authentication Methods (Windows)
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure Authentication Methods
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 99a5795add..f839c60899 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -2,28 +2,30 @@
title: Configure Data Protection (Quick Mode) Settings (Windows)
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure Data Protection (Quick Mode) Settings
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index ef75edf628..feb3b8e3a2 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -2,28 +2,30 @@
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows)
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure Group Policy to Autoenroll and Deploy Certificates
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index d630831fe4..dd062985fe 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -2,28 +2,30 @@
title: Configure Key Exchange (Main Mode) Settings (Windows)
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure Key Exchange (Main Mode) Settings
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 00d5f4cd23..2a9fedfb36 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -2,20 +2,26 @@
title: Configure the Rules to Require Encryption (Windows)
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure the Rules to Require Encryption
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 763858cb1e..acae2a5eb6 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -2,28 +2,30 @@
title: Configure the Windows Defender Firewall Log (Windows)
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure the Windows Defender Firewall with Advanced Security Log
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index ae802dff45..7f4b8057f3 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -2,25 +2,27 @@
title: Configure the Workstation Authentication Template (Windows)
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+ms.reviewer: jekrynit
+manager: aaroncz
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
+author: paolomatarazzo
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure the Workstation Authentication Certificate Template
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index da729a7b63..81905439d5 100644
--- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -2,28 +2,30 @@
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index 45aac5c3bd..e23f800b1e 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -2,28 +2,30 @@
title: Confirm That Certificates Are Deployed Correctly (Windows)
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: securit
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Confirm That Certificates Are Deployed Correctly
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index a3b8bcee88..603fb772d6 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -2,28 +2,30 @@
title: Copy a GPO to Create a New GPO (Windows)
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Copy a GPO to Create a New GPO
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 7f5899e2f5..f3f7a3bb1b 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -2,28 +2,30 @@
title: Create a Group Account in Active Directory (Windows)
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create a Group Account in Active Directory
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index c1f6da0c2a..8926c70552 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -2,28 +2,30 @@
title: Create a Group Policy Object (Windows)
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create a Group Policy Object
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 513807383f..a2ad8d6f6c 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -2,28 +2,30 @@
title: Create an Authentication Exemption List Rule (Windows)
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Authentication Exemption List Rule
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 037a451dee..99d3d07f46 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -2,20 +2,26 @@
title: Create an Authentication Request Rule (Windows)
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Authentication Request Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index da5b7f7f20..76b063f72d 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -2,28 +2,30 @@
title: Create an Inbound ICMP Rule (Windows)
description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Inbound ICMP Rule
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 93586077a2..56a7c6808c 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -2,28 +2,30 @@
title: Create an Inbound Port Rule (Windows)
description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Inbound Port Rule
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall
with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index bb976db9c3..1d6f3352d0 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -2,28 +2,30 @@
title: Create an Inbound Program or Service Rule (Windows)
description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Inbound Program or Service Rule
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index 11f38ec926..9c6df54f31 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -2,28 +2,30 @@
title: Create an Outbound Port Rule (Windows)
description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Outbound Port Rule
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index ec94f13e2b..79eb7dda0d 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -1,24 +1,26 @@
---
title: Create an Outbound Program or Service Rule (Windows)
description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create an Outbound Program or Service Rule
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 4d05d75092..2fec297236 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,24 +1,26 @@
---
title: Create Inbound Rules to Support RPC (Windows)
description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create Inbound Rules to Support RPC
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 7f460e4af8..3b6a633dbf 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,23 +1,25 @@
---
title: Create Windows Firewall rules in Intune (Windows)
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create Windows Firewall rules in Intune
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
>[!IMPORTANT]
>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 1b2931e18d..2bdb97ef09 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,24 +1,26 @@
---
title: Create WMI Filters for the GPO (Windows)
description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Create WMI Filters for the GPO
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index a245dc4589..0b2d46c86c 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,24 +1,26 @@
---
title: Designing a Windows Defender Firewall Strategy (Windows)
description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Designing a Windows Defender Firewall with Advanced Security Strategy
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index 8ba54573da..7cc8bd8b35 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,24 +1,26 @@
---
title: Determining the Trusted State of Your Devices (Windows)
description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Determining the Trusted State of Your Devices
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this communication can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status.
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 2215134491..95dc6e163c 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,24 +1,26 @@
---
title: Documenting the Zones (Windows)
description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Documenting the Zones
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Generally, the task of determining zone membership isn't complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 2370992ec2..82b302fd7b 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,24 +1,26 @@
---
title: Domain Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Domain Isolation Policy Design Example
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 50640ef245..340f62976e 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,24 +1,26 @@
---
title: Domain Isolation Policy Design (Windows)
description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Domain Isolation Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
index 307d2e17e0..123058b8dd 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -1,24 +1,26 @@
---
title: Enable Predefined Inbound Rules (Windows)
description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Enable Predefined Inbound Rules
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index d0ee50b518..000488608e 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,24 +1,26 @@
---
title: Enable Predefined Outbound Rules (Windows)
description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Enable Predefined Outbound Rules
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically doesn't enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index 90e93ba044..bcca4ec64f 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,24 +1,26 @@
---
title: Encryption Zone GPOs (Windows)
description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Encryption Zone GPOs
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 3427f8825c..7038a7f49d 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,24 +1,26 @@
---
title: Encryption Zone (Windows)
description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Encryption Zone
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Some servers in the organization host data that's sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it's transferred between devices.
diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
index 9cd638e39c..3096a8342b 100644
--- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -1,24 +1,26 @@
---
title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows)
description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Evaluating Windows Defender Firewall with Advanced Security Design Examples
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index dee6778a40..d6de9a861d 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,24 +1,26 @@
---
title: Exempt ICMP from Authentication (Windows)
description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Exempt ICMP from Authentication
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index 487eb1a25d..ac27c34d95 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,24 +1,26 @@
---
title: Exemption List (Windows)
description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Exemption List
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
When you implement a server and domain isolation security model in your organization, you're likely to find more challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers can't require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index 73db668581..f13a1094ec 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -1,17 +1,23 @@
---
title: Filter origin audit log improvements
description: Filter origin documentation audit log improvements
-ms.reviewer:
-ms.author: v-bshilpa
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: normal
-author: Benny-54
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Filter origin audit log improvements
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index acce618f02..80b417b9a0 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,24 +1,26 @@
---
title: Firewall GPOs (Windows)
description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Firewall GPOs
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 71610970dc..d52cb81f95 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,24 +1,26 @@
---
title: Basic Firewall Policy Design Example (Windows)
description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Basic Firewall Policy Design Example
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
In this example, the fictitious company Woodgrove Bank is a financial services institution.
diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
index 777d827e77..9d3ccfc6b4 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
@@ -1,17 +1,23 @@
---
title: Troubleshooting Windows Firewall settings after a Windows upgrade
description: Firewall settings lost on upgrade
-ms.reviewer:
-ms.author: v-bshilpa
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: Benny-54
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Troubleshooting Windows Firewall settings after a Windows upgrade
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index da7ae54f60..8725d0c4ed 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,24 +1,26 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows)
description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Gathering Information about Your Active Directory Deployment
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Active Directory is another important item about which you must gather information. You must understand the forest structure. This structure includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 1477bbc36c..bfe7c5a55b 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,24 +1,26 @@
---
title: Gathering Info about Your Network Infrastructure (Windows)
description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Gathering Information about Your Current Network Infrastructure
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 6cdefe354a..eb25dfbbce 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,24 +1,26 @@
---
title: Gathering Information about Your Devices (Windows)
description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Gathering Information about Your Devices
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 7f6cefda53..27ebec7226 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,24 +1,26 @@
---
title: Gathering Other Relevant Information (Windows)
description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Gathering Other Relevant Information
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This topic discusses several other things that you should examine to see whether they'll cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index f009728af3..5f8c2be8fe 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,24 +1,26 @@
---
title: Gathering the Information You Need (Windows)
description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Gathering the Information You Need
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information isn't accurate, problems can occur when devices and devices that weren't considered during the planning phase are encountered during implementation.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 9d4cea8c27..a9b3bb3f08 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_Boundary (Windows)
description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# GPO\_DOMISO\_Boundary
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index a325feb5ed..9849e51f4d 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,16 +1,22 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows)
description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
-ms.reviewer:
-ms.author: dansimp
-author: dansimp
-manager: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.prod: m365-security
ms.localizationpriority: medium
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# GPO\_DOMISO\_Encryption\_WS2008
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 6cd30ab0e7..c50f026cc3 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_Firewall (Windows)
description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# GPO\_DOMISO\_Firewall
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall
with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index be3ef61a55..40f53282db 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows)
description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# GPO\_DOMISO\_IsolatedDomain\_Clients
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 3e4b545348..cd7824dccc 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows)
description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# GPO\_DOMISO\_IsolatedDomain\_Servers
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to server devices that are running at least Windows Server 2008.
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index da1df7152e..393ecebb5b 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,23 +1,25 @@
---
title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows)
description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Identifying Windows Defender Firewall with Advanced Security implementation goals
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index e99fb5bdc3..663cee3cb9 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -1,24 +1,26 @@
---
title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The following are important factors in the implementation of your Windows Defender Firewall design plan:
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index b2b51c8bed..d15da4ef92 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,24 +1,26 @@
---
title: Isolated Domain GPOs (Windows)
description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Isolated Domain GPOs
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index ab40a0617d..16663963fe 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,16 +1,22 @@
---
title: Isolated Domain (Windows)
description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Isolated Domain
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index 94c2d1efc2..4da13f6712 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -3,22 +3,24 @@ title: Isolating Microsoft Store Apps on Your Network (Windows)
description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Isolating Microsoft Store Apps on Your Network
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 27ca0787a6..50361255a5 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,24 +1,26 @@
---
title: Link the GPO to the Domain (Windows)
description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Link the GPO to the Domain
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index e14954cb74..b729a362be 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,24 +1,26 @@
---
title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows)
description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Mapping your implementation goals to a Windows Firewall with Advanced Security design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
> [!IMPORTANT]
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 20c89d309f..ce5e5032ad 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,24 +1,26 @@
---
title: Modify GPO Filters (Windows)
description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Modify GPO Filters to Apply to a Different Zone or Version of Windows
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index 27d55010fe..2a59a2ec1e 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,24 +1,26 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows)
description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Open the Group Policy Management Console to IP Security Policies
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 6b414fd0e1..fbbda89fb9 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -1,24 +1,26 @@
---
title: Group Policy Management of Windows Firewall with Advanced Security (Windows)
description: Group Policy Management of Windows Firewall with Advanced Security
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Group Policy Management of Windows Firewall with Advanced Security
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 7c1ef5c3ab..548d290e41 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,24 +1,26 @@
---
title: Group Policy Management of Windows Defender Firewall (Windows)
description: Group Policy Management of Windows Defender Firewall with Advanced Security
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Group Policy Management of Windows Defender Firewall
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To open a GPO to Windows Defender Firewall:
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index 31a3fba50f..7d3b9aafd8 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,24 +1,26 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows)
description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Open Windows Defender Firewall with Advanced Security
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 0e6eba3376..6ed68f701c 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,24 +1,26 @@
---
title: Planning Certificate-based Authentication (Windows)
description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Certificate-based Authentication
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Sometimes a device can't join an Active Directory domain, and therefore can't use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index 1df3ac69c7..0edcdd46c3 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,24 +1,26 @@
---
title: Planning Domain Isolation Zones (Windows)
description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Domain Isolation Zones
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 356ce2a71e..12a6970f24 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,24 +1,26 @@
---
title: Planning GPO Deployment (Windows)
description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning GPO Deployment
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index a4b877a50f..a63f2b239f 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,24 +1,26 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows)
description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Group Policy Deployment for Your Isolation Zones
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you've decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 3b9d484653..ee193d5c3d 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,24 +1,26 @@
---
title: Planning Isolation Groups for the Zones (Windows)
description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Isolation Groups for the Zones
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group that represents that zone.
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index a46279468a..ebc3e779ce 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,24 +1,26 @@
---
title: Planning Network Access Groups (Windows)
description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Network Access Groups
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index 9e0486133d..6cdcc36dc6 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,24 +1,26 @@
---
title: Planning Server Isolation Zones (Windows)
description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Server Isolation Zones
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index 6f5c67f5bd..f4bcdca804 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,24 +1,26 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows)
description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Settings for a Basic Firewall Policy
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index c61cc01904..1a921ebe00 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,24 +1,26 @@
---
title: Planning the GPOs (Windows)
description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning the GPOs
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index b2922c2dd6..1411d23007 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,24 +1,26 @@
---
title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows)
description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning to Deploy Windows Defender Firewall with Advanced Security
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization.
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 3c54199363..9d104e67c2 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,24 +1,26 @@
---
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows)
description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Planning Your Windows Defender Firewall with Advanced Security Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you've gathered the relevant information in the previous sections, and understood the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index 8c98be2b77..b12f025700 100644
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -1,24 +1,26 @@
---
title: Procedures Used in This Guide (Windows)
description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Procedures Used in This Guide
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 0ae3e5785f..e143a06c23 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,24 +1,26 @@
---
title: Protect devices from unwanted network traffic (Windows)
description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/18/2022
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Protect devices from unwanted network traffic
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall can't protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable devices are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index debe26322b..c914408573 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -1,16 +1,22 @@
---
title: Quarantine behavior
description: Quarantine behavior is explained in detail.
-ms.author: v-bshilpa
-author: Benny-54
-manager: dansimp
-ms.reviewer:
+ms.author: paoloma
+author: paolomatarazzo
+manager: aaroncz
+ms.reviewer: jekrynit
ms.prod: m365-security
ms.localizationpriority: normal
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Quarantine behavior
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 92a170d7ef..eda42f13e6 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,24 +1,26 @@
---
title: Require Encryption When Accessing Sensitive Network Resources (Windows)
description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Require Encryption When Accessing Sensitive Network Resources
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it doesn't prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets aren't encrypted.
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index f9a9247b52..1b7a5eef66 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -1,24 +1,26 @@
---
title: Restrict Access to Only Specified Users or Devices (Windows)
description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Restrict Access to Only Specified Users or Computers
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 6f48e70c2f..83e9ef9191 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,24 +1,26 @@
---
title: Restrict access to only trusted devices (Windows)
description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Restrict access to only trusted devices
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that aren't owned by your organization to your network. Because you don't manage those devices, you can't trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it's truly required.
diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index d405ae9ad9..ccd8c1f678 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -1,24 +1,26 @@
---
title: Restrict Server Access to Members of a Group Only (Windows)
description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Restrict Server Access to Members of a Group Only
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group.
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index e43a977d74..5de4aeebab 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -3,22 +3,24 @@ title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 20
description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Securing End-to-End IPsec connections by using IKEv2
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
IKEv2 offers the following:
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index 6c2574d928..15f710e53b 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,24 +1,26 @@
---
title: Server Isolation GPOs (Windows)
description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Server Isolation GPOs
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index bfade02b3c..f920003a00 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,24 +1,26 @@
---
title: Server Isolation Policy Design Example (Windows)
description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Server Isolation Policy Design Example
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 91160b8e0a..5dc27f7b43 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,24 +1,26 @@
---
title: Server Isolation Policy Design (Windows)
description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Server Isolation Policy Design
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG).
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index a0116d71eb..9796a30b9e 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -1,17 +1,23 @@
---
title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Troubleshooting UWP App Connectivity Issues
diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index 64a55b790e..72d9d7fa43 100644
--- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -1,24 +1,26 @@
---
title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows)
description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index dd58d0c8d0..e924d932ea 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -3,14 +3,20 @@ title: Understand WFAS Deployment (Windows)
description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Understanding the Windows Defender Firewall with Advanced Security Design Process
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 3f49bc068c..9359451826 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,24 +1,26 @@
---
title: Verify That Network Traffic Is Authenticated (Windows)
description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Verify That Network Traffic Is Authenticated
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
After you've configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 7173220848..14a6de27f4 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -3,22 +3,24 @@ title: Windows Defender Firewall with Advanced Security Administration with Wind
description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index f0ec1fb9dc..b2d5a9b049 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,24 +1,26 @@
---
title: Windows Defender Firewall with Advanced Security deployment overview (Windows)
description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Firewall with Advanced Security deployment overview
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 791816f439..b23f7bc963 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,24 +1,26 @@
---
title: Windows Defender Firewall with Advanced Security design guide (Windows)
description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
-ms.reviewer:
-ms.author: dansimp
+ms.reviewer: jekrynit
+ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-manager: dansimp
+author: paolomatarazzo
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Firewall with Advanced Security design guide
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't authenticate can't communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 297a720a7a..dc08cf7455 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -3,23 +3,25 @@ title: Windows Defender Firewall with Advanced Security (Windows)
description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: m365-security
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer: jekrynit
ms.custom: asr
ms.technology: windows-sec
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows Server 2016
+- ✅ Windows Server 2019
+- ✅ Windows Server 2022
---
# Windows Defender Firewall with Advanced Security
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This topic is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
From cdcf5eb2f3eac912d0e526fbda3cf28042612d58 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 11 Aug 2022 18:03:02 -0600
Subject: [PATCH 6/9] Light copyedit
windows/security/identity-protection/access-control/local-accounts.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/a69576be-9a47-4363-8299-e82d8685dcad#CORRECTNESS
Line 120: users > user's
Line 126: are > is
windows/security/identity-protection/configure-s-mime.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/4f3b39d4-9f2a-4c07-8f5b-d2f7571146fc#CORRECTNESS
Line 30: recipient(s) > recipients
windows/security/identity-protection/credential-guard/additional-mitigations.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/ba28fde6-7ce6-4950-b001-6e3d14d57a05#CORRECTNESS
Line 21: sign on > sign on to
Lines 99 and 105: sign on > sign-on
windows/security/identity-protection/credential-guard/credential-guard-considerations.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/129d9030-fcec-42a2-884f-182d9c3e8a98#CORRECTNESS
Line 83: signed-in > signed in
Line 84: signed-in > signed in
windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/b9c05e69-3ba6-4c2b-8770-1af996ae98dc#CORRECTNESS
Line 126 and 132: sign on > sign-on
---
.../identity-protection/access-control/local-accounts.md | 4 ++--
windows/security/identity-protection/configure-s-mime.md | 2 +-
.../credential-guard/additional-mitigations.md | 8 ++++----
.../credential-guard/credential-guard-considerations.md | 4 ++--
.../credential-guard-not-protected-scenarios.md | 4 ++--
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 854d62c172..cf62379ed8 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -117,13 +117,13 @@ In addition, the guest user in the Guest account shouldn't be able to view the e
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
-HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the users invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
**Security considerations**
The SIDs that pertain to the default HelpAssistant account include:
-- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services are called Terminal Services.
+- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 0f0491d86e..2cf5a0e5b7 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -27,7 +27,7 @@ S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an
Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
-Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
+Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
## About digital signatures
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index ed33a72d92..ae0b3c7b76 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -18,7 +18,7 @@ Windows Defender Credential Guard can provide mitigation against attacks on deri
## Restricting domain users to specific domain-joined devices
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
### Kerberos armoring
@@ -32,7 +32,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
### Protecting domain-joined device secrets
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
@@ -96,13 +96,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
```
-### Restricting user sign on
+### Restricting user sign-on
So we now have completed the following:
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
-- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
Authentication policies have the following requirements:
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 31fb780b79..22f3e34740 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -80,8 +80,8 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
|Credential Type | Windows version | Behavior
|---|---|---|
| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
-| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
-| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
+| Password | Windows 10 v1709 or later | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
+| Password | Windows 10 v1703 | If the user signed in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 55a98fdb3e..445168ffc1 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -123,13 +123,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
```
-#### Restricting user sign on
+#### Restricting user sign-on
So we now have completed the following:
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
-- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
Authentication policies have the following requirements:
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
From 2c88cd4fae402495b320b945782dfbb71544d5ec Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 11 Aug 2022 18:58:37 -0600
Subject: [PATCH 7/9] Correctness/typo copyedit
windows/security/identity-protection/enterprise-certificate-pinning.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/e890ad26-c01b-4744-a8c3-b3e957305871#CORRECTNESS
Line 101: exclude > excludes
Line 109: then, wildcard > then wildcard
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/fbf76d9b-398e-4c35-9f42-7e5f64432f7f#CORRECTNESS
Line 35: trust deployment, does not > trust deployment does not
Line 90: technology, such as DirSync or Azure AD sync need > technology, such as DirSync or Azure AD sync, need
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/75fb9e1f-9c73-4f30-9f9c-70d3bf630370#CORRECTNESS
Line 58: keys > key
Lines 65 and 74: Any time > Anytime
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/29e7c53f-7633-454a-8474-522cf3bd3c20#CORRECTNESS
Line 66: Remote Desktop Services enable > Remote Desktop Services enables
windows/security/identity-protection/smart-cards/smart-card-architecture.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/9a406540-b330-4be9-a714-a1997e1482b0#CORRECTNESS
Line 125: it require > it requires
windows/security/identity-protection/smart-cards/smart-card-events.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/d03be924-73ef-455a-92c5-a8227c3cca56#CORRECTNESS
Line 53: could not to be > could not be
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/859b68c2-dd5d-49c6-93d4-e01aba2935b3#CORRECTNESS
Lines 96, 152, 167, 185, 258 (x2), 262, 268, 306, and 311: sign in > sign-in
Line 198: clean up > clean-up
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/12a919ae-26c5-416d-be2e-5e31fe29e752#CORRECTNESS
Line 33: sign in > sign-in
---
.../enterprise-certificate-pinning.md | 4 ++--
.../hello-hybrid-key-trust-prereqs.md | 4 ++--
.../retired/hello-how-it-works.md | 6 ++---
.../smart-card-and-remote-desktop-services.md | 2 +-
.../smart-cards/smart-card-architecture.md | 2 +-
.../smart-cards/smart-card-events.md | 2 +-
...card-group-policy-and-registry-settings.md | 24 +++++++++----------
.../smart-card-removal-policy-service.md | 2 +-
8 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 62ef573756..facbb090b1 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -98,7 +98,7 @@ The **Certificate** element can have the following attributes.
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). |
-| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
+| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
#### Site element
@@ -106,7 +106,7 @@ The **Site** element can have the following attributes.
| Attribute | Description | Required |
|-----------|-------------|----------|
-| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
+| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
| **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
### Create a Pin Rules Certificate Trust List
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index f5f0966e5a..b732396e36 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -32,7 +32,7 @@ The distributed systems on which these technologies were built involved several
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
-A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
+A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.
If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
@@ -87,7 +87,7 @@ The minimum required Enterprise certificate authority that can be used with Wind
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
-Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
+Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index d594821d9b..aaca362314 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -55,14 +55,14 @@ Containers can contain several types of key material:
- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
-- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
## How keys are protected
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
@@ -71,7 +71,7 @@ Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protect
When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication anytime a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
For example, the authentication process for Azure Active Directory works like this:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 6281288b7d..613d27bf02 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -63,7 +63,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services
### Remote Desktop Services and smart card sign-in
-Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
+Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index d6f114f368..3fa8e4255e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -122,7 +122,7 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows
The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
-To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it require multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
+To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 2f1430846f..a750b165ca 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -50,7 +50,7 @@ The smart card reader device name is constructed in the form <*VendorName*>
| **Event ID** | **Warning Message** | **Description** |
|--------------|---------|--------------------------------------------------------------------------------------------|
-| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card |
| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card |
## Smart card error events
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 9929ee2bff..2b1c30addd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -93,7 +93,7 @@ The following table lists the default values for these GPO settings. Variations
### Allow certificates with no extended key usage certificate attribute
-You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in.
+You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign-in.
> [!NOTE]
> Enhanced key usage certificate attribute is also known as extended key usage.
@@ -149,9 +149,9 @@ When this setting isn't turned on, the feature is not available.
### Allow signature keys valid for Logon
-You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign in.
+You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in.
-When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
+When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
@@ -164,7 +164,7 @@ When this setting isn't turned on, certificates available on the smart card with
### Allow time invalid certificates
-You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in.
+You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign-in.
> [!NOTE]
> Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
@@ -182,7 +182,7 @@ When this policy setting isn't turned on, certificates that are expired or not y
### Allow user name hint
-You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
+You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
@@ -195,7 +195,7 @@ When this policy setting isn't turned on, users don't see this optional field.
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | |
-### Configure root certificate clean up
+### Configure root certificate clean-up
You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
@@ -255,17 +255,17 @@ This policy setting is applied to the computer after the [Allow time invalid cer
### Force the reading of all certificates from the smart card
-You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
+You can use this policy setting to manage how Windows reads all certificates from the smart card for sign-in. During sign-in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
-When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set.
+When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set.
-When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in.
+When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in.
| **Item** | **Description** |
|--------------------------------------|----------------------------------------------------------------------------|
| Registry key | **ForceReadingAllCertificates** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
@@ -303,12 +303,12 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs.
### Reverse the subject name stored in a certificate when displaying
-You can use this policy setting to control the way the subject name appears during sign in.
+You can use this policy setting to control the way the subject name appears during sign-in.
> [!NOTE]
> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
-When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate.
+When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 6c0a8e06e8..79ce85481a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -30,7 +30,7 @@ The smart card removal policy service is applicable when a user has signed in wi
The numbers in the previous figure represent the following actions:
-1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign in was initiated.
+1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
From 510c4f9dae3b45405ca4cd9a48684446a5b4c7a1 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 11 Aug 2022 19:12:35 -0600
Subject: [PATCH 8/9] Update
windows/security/identity-protection/configure-s-mime.md
https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/4f3b39d4-9f2a-4c07-8f5b-d2f7571146fc#CORRECTNESS
---
windows/security/identity-protection/configure-s-mime.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 2cf5a0e5b7..2bd4fde45f 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -27,7 +27,7 @@ S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an
Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
-Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
+Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email.
## About digital signatures
From 7c8b0abc5217d2128d2e85798ac5d632b5fffadd Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 11 Aug 2022 19:14:50 -0600
Subject: [PATCH 9/9] Update configure-s-mime.md
Line 85: app provide feature > app provides a feature
---
windows/security/identity-protection/configure-s-mime.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 2bd4fde45f..b1d3c58e26 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -82,7 +82,7 @@ When you receive an encrypted message, the mail app will check whether there is
## Install certificates from a received message
-When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
+When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
1. Open a signed email.
@@ -91,4 +91,4 @@ When you receive a signed email, the app provide feature to install correspondin
3. Tap **Install.**
:::image type="content" alt-text="message security information." source="images/installcert.png":::
-
\ No newline at end of file
+