+  |
|
- |
|
|
|
@@ -1065,10 +1063,9 @@ Additional lists:
 |
|
- |
|
|
- |
+ |
|
@@ -1092,7 +1089,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1118,7 +1115,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1144,7 +1141,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1168,7 +1165,7 @@ Additional lists:
Mobile |
- |
+ |
3 |
3 |
3 |
@@ -1196,10 +1193,10 @@ Additional lists:
|
|
- |
|
|
- (Provisioning only) |
+ |
+ B |
@@ -1248,7 +1245,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1274,7 +1271,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1300,7 +1297,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1378,7 +1375,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1404,7 +1401,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1482,7 +1479,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1534,7 +1531,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1560,7 +1557,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1586,7 +1583,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1638,7 +1635,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1664,7 +1661,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1688,12 +1685,12 @@ Additional lists:
Mobile |
- | (Provisioning only) |
- (Provisioning only) |
- |
- (Provisioning only) |
- (Provisioning only) |
- (Provisioning only) |
+ B |
+ B |
+ B |
+ B |
+ B |
+ B |
@@ -1716,7 +1713,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1742,7 +1739,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1768,7 +1765,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1794,7 +1791,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1820,7 +1817,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1846,7 +1843,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1872,7 +1869,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1898,7 +1895,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1924,7 +1921,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -1950,7 +1947,7 @@ Additional lists:
|
1 |
- |
+ 1 |
1 |
1 |
|
@@ -1976,7 +1973,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2002,7 +1999,7 @@ Additional lists:
|
1 |
- |
+ 1 |
1 |
1 |
|
@@ -2028,7 +2025,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2159,7 +2156,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2185,7 +2182,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2211,7 +2208,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2237,7 +2234,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2290,7 +2287,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2316,7 +2313,7 @@ Additional lists:
|
1 |
- |
+ 1 |
1 |
1 |
|
@@ -2368,7 +2365,7 @@ Additional lists:
|
1 |
- |
+ 1 |
1 |
1 |
|
@@ -2421,7 +2418,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2447,7 +2444,7 @@ Additional lists:
|
|
- |
+ |
|
|
|
@@ -2503,7 +2500,6 @@ Additional lists:
|
|
|
- |
@@ -2555,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices:
[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
-| [RemoteWipe CSP](remotewipe-csp.md) |  |  4 |  |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  4 |  |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
| [Update CSP](update-csp.md) |  |  |  |
@@ -2627,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes:
+- A - Only for mobile application management (MAM).
+- B - Provisioning only.
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
@@ -2635,5 +2633,6 @@ The following list shows the CSPs supported in HoloLens devices:
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
-- 9 - Added in Windows 10 Team 2020 Update
-- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
\ No newline at end of file
+- 9 - Added in Windows 10 Team 2020 Update.
+- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2).
+
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 9e1150cd20..775e72cacd 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -128,7 +128,7 @@ Requirements:
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
>
> The default behavior for older releases is to revert to **User Credential**.
- > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
+ > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 3463de078b..9f691cab8c 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report
- [HealthStatusMismatchFlags](#healthstatusmismatchflags)
\* TPM 2.0 only
-** Reports if Bitlocker was enabled during initial boot.
-*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.
+\*\* Reports if BitLocker was enabled during initial boot.
+\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.
Each of these are described in further detail in the following sections, along with the recommended actions to take.
@@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-**BitlockerStatus** (at boot time)
-When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
+**BitLockerStatus** (at boot time)
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
@@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script.
+- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
**OSKernelDebuggingEnabled**
OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
@@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script.
+- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
**SafeMode**
Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
@@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
[Configuration service provider reference](configuration-service-provider-reference.md)
-
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 28a1cdf6e0..4d1e1393b7 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -741,13 +741,13 @@ The following list shows the supported values for Windows 8.1:
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
-The following list shows the supported values for Windows 10 version 1809 and older:
-
-- 0 – (**Security**) This turns Windows diagnostic data off.
+The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
+- 0 – **Off (Security)** This turns Windows diagnostic data off.
**Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
-- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
-- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
-- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
+- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
+- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
+ **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.
+- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
Most restrictive value is 0.
@@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps:
- Enable this policy setting
- Set the **AllowTelemetry** level:
- - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced
+ - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1)
- For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 15c30be7f5..1fed240483 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
+> [!NOTE]
+> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
+
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
@@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.
-> [!NOTE]
-> Currently only one web proxy server is supported.
+> [!NOTE]
+> Currently only one web proxy server is supported.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -1600,4 +1603,3 @@ Servers
-
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4c034921b7..b7bccbb684 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
- Diagnostic data is set to *Required* or *Optional*.
-- The **AllowWUfBCloudProcessing** policy is set to **1**.
+- The **AllowWUfBCloudProcessing** policy is set to **8**.
#### Set the **AllowWUfBCloudProcessing** policy
@@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager:
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- - Data type: **String**
- - Value: **1**
+ - Data type: **Integer**
+ - Value: **8**
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
7. In **Review + create**, review your settings, and then select **Create**.
8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 34ef7cc00f..2664d3f9d8 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
+> [!NOTE]
+> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
+
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
@@ -456,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
-```
\ No newline at end of file
+```
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 4438c95e54..2e4ab4fd64 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi
## How do I get started?
-The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center.
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center.
Today, the Update Baseline toolkit is currently only available for use with Group Policy.
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index de76b10cc5..0fbc7f9f48 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -26,12 +26,12 @@ This article depicts the BitLocker deployment comparison chart.
## BitLocker deployment comparison chart
-| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* |
+| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|---------|---------|---------|---------|
|**Requirements**||||
|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later |
|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
-|Minimum Windows 10 version |1909** | None | None |
+|Minimum Windows 10 version |1909 | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
@@ -47,8 +47,7 @@ This article depicts the BitLocker deployment comparison chart.
|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Standard recovery password storage location | Azure AD or
-Active Directory | Configuration Manager site database | MBAM database |
+|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index ca584f750a..62291e7f81 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
## Create a WIP policy
-1. Sign in to the Azure portal.
+1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
-2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**.
+2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
@@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou
Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in your Internal proxy servers list.
-Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
+Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```console
@@ -497,8 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
-This list shouldn’t include any servers listed in your Proxy servers list.
-Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
+This list shouldn’t include any servers listed in your Proxy servers list.
+Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```console
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 10a7cb1c8c..5541fc0f63 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-| Account management events | Description |
-|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 624 | A user account was created. |
-| 627 | A user password was changed. |
-| 628 | A user password was set. |
-| 630 | A user account was deleted. |
-| 631 | A global group was created. |
-| 632 | A member was added to a global group. |
-| 633 | A member was removed from a global group. |
-| 634 | A global group was deleted. |
-| 635 | A new local group was created. |
-| 636 | A member was added to a local group. |
-| 637 | A member was removed from a local group. |
-| 638 | A local group was deleted. |
-| 639 | A local group account was changed. |
-| 641 | A global group account was changed. |
-| 642 | A user account was changed. |
-| 643 | A domain policy was modified. |
-| 644 | A user account was auto locked. |
-| 645 | A computer account was created. |
-| 646 | A computer account was changed. |
-| 647 | A computer account was deleted. |
-| 648 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. |
-| 649 | A local security group with security disabled was changed. |
-| 650 | A member was added to a security-disabled local security group. |
-| 651 | A member was removed from a security-disabled local security group. |
-| 652 | A security-disabled local group was deleted. |
-| 653 | A security-disabled global group was created. |
-| 645 | A security-disabled global group was changed. |
-| 655 | A member was added to a security-disabled global group. |
-| 656 | A member was removed from a security-disabled global group. |
-| 657 | A security-disabled global group was deleted. |
-| 658 | A security-enabled universal group was created. |
-| 659 | A security-enabled universal group was changed. |
-| 660 | A member was added to a security-enabled universal group. |
-| 661 | A member was removed from a security-enabled universal group. |
-| 662 | A security-enabled universal group was deleted. |
-| 663 | A security-disabled universal group was created. |
-| 664 | A security-disabled universal group was changed. |
-| 665 | A member was added to a security-disabled universal group. |
-| 666 | A member was removed from a security-disabled universal group. |
-| 667 | A security-disabled universal group was deleted. |
-| 668 | A group type was changed. |
-| 684 | Set the security descriptor of members of administrative groups. |
-| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
+| Account management events | Description |
+| :-----------------------: | :---------- |
+| 4720 | A user account was created. |
+| 4723 | A user password was changed. |
+| 4724 | A user password was set. |
+| 4726 | A user account was deleted. |
+| 4727 | A global group was created. |
+| 4728 | A member was added to a global group. |
+| 4729 | A member was removed from a global group. |
+| 4730 | A global group was deleted. |
+| 4731 | A new local group was created. |
+| 4732 | A member was added to a local group. |
+| 4733 | A member was removed from a local group. |
+| 4734 | A local group was deleted. |
+| 4735 | A local group account was changed. |
+| 4737 | A global group account was changed. |
+| 4738 | A user account was changed. |
+| 4739 | A domain policy was modified. |
+| 4740 | A user account was auto locked. |
+| 4741 | A computer account was created. |
+| 4742 | A computer account was changed. |
+| 4743 | A computer account was deleted. |
+| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
+| 4745 | A local security group with security disabled was changed. |
+| 4746 | A member was added to a security-disabled local security group. |
+| 4747 | A member was removed from a security-disabled local security group. |
+| 4748 | A security-disabled local group was deleted. |
+| 4749 | A security-disabled global group was created. |
+| 4750 | A security-disabled global group was changed. |
+| 4751 | A member was added to a security-disabled global group. |
+| 4752 | A member was removed from a security-disabled global group. |
+| 4753 | A security-disabled global group was deleted. |
+| 4754 | A security-enabled universal group was created. |
+| 4755 | A security-enabled universal group was changed. |
+| 4756 | A member was added to a security-enabled universal group. |
+| 4757 | A member was removed from a security-enabled universal group. |
+| 4758 | A security-enabled universal group was deleted. |
+| 4759 | A security-disabled universal group was created. |
+| 4760 | A security-disabled universal group was changed. |
+| 4761 | A member was added to a security-disabled universal group. |
+| 4762 | A member was removed from a security-disabled universal group. |
+| 4763 | A security-disabled universal group was deleted. |
+| 4764 | A group type was changed. |
+| 4780 | Set the security descriptor of members of administrative groups. |
+| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
## Related topics
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index f63ab02819..ec7a4064e5 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -166,13 +166,78 @@ The most common values:
> Table 6. Kerberos ticket flags.
-- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
+- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
| Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
-| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
-| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
+| 0x0 | KDC\_ERR\_NONE | No error |
+| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired |
+| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired |
+| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported |
+| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key |
+| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key |
+| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database |
+| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database |
+| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database |
+| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key |
+| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating |
+| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time |
+| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request |
+| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option |
+| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type |
+| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
+| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type |
+| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked |
+| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked |
+| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked |
+| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later |
+| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later |
+| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired.
+| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided.
+| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required |
+| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match |
+| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only |
+| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path |
+| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available |
+| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed |
+| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired |
+| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid |
+| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay |
+| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us |
+| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match |
+| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great |
+| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address |
+| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch |
+| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type |
+| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified |
+| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order |
+| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available |
+| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available |
+| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed |
+| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction |
+| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required |
+| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message |
+| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message |
+| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path |
+| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP |
+| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) |
+| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation |
+| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT |
+| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT |
+| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT |
+| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT |
+| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT |
+| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER |
+| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use |
+| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER |
+| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT |
+| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT |
+| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT |
+| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT |
+| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT |
+| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT |
+| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT |
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 39371c3da0..e2029f3c2c 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
index c77a91d3e5..ee887e168a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
@@ -12,4 +12,4 @@
- name: Microsoft Defender Application Guard Extension
href: md-app-guard-browser-extension.md
- name: FAQ
- href: faq-md-app-guard.md
+ href: faq-md-app-guard.yml
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
deleted file mode 100644
index 0e4406aaa5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ /dev/null
@@ -1,210 +0,0 @@
----
-title: FAQ - Microsoft Defender Application Guard (Windows 10)
-description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 05/12/2021
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
----
-
-# Frequently asked questions - Microsoft Defender Application Guard
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
-
-## Frequently Asked Questions
-
-### Can I enable Application Guard on machines equipped with 4-GB RAM?
-
-We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
-
-### Can employees download documents from the Application Guard Edge session onto host devices?
-
-In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
-
-In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
-
-### Can employees copy and paste between the host device and the Application Guard Edge session?
-
-Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
-
-### Why don't employees see their favorites in the Application Guard Edge session?
-
-Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
-
-### Why aren’t employees able to see their extensions in the Application Guard Edge session?
-
-Make sure to enable the extensions policy on your Application Guard configuration.
-
-### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
-
-Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
-
-### Which Input Method Editors (IME) in 19H1 are not supported?
-
-The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
-
-- Vietnam Telex keyboard
-- Vietnam number key-based keyboard
-- Hindi phonetic keyboard
-- Bangla phonetic keyboard
-- Marathi phonetic keyboard
-- Telugu phonetic keyboard
-- Tamil phonetic keyboard
-- Kannada phonetic keyboard
-- Malayalam phonetic keyboard
-- Gujarati phonetic keyboard
-- Odia phonetic keyboard
-- Punjabi phonetic keyboard
-
-### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
-
-This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
-
-### What is the WDAGUtilityAccount local account?
-
-WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
-
-**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
-
-We recommend that you do not modify this account.
-
-### How do I trust a subdomain in my site list?
-
-To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
-
-### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-
-When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
-
-### Is there a size limit to the domain lists that I need to configure?
-
-Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
-
-### Why does my encryption driver break Microsoft Defender Application Guard?
-
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-
-### Why do the Network Isolation policies in Group Policy and CSP look different?
-
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-
-- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
-
-- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
-
-- For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-
-Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-
-### Why did Application Guard stop working after I turned off hyperthreading?
-
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
-
-### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
-
-Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-
-### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
-
-This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-
-- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
-- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-
-#### First rule (DHCP Server)
-1. Program path: `%SystemRoot%\System32\svchost.exe`
-
-2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
-
-3. Protocol UDP
-
-4. Port 67
-
-#### Second rule (DHCP Client)
-This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
-
-1. Right-click on inbound rules, and then create a new rule.
-
-2. Choose **custom rule**.
-
-3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
-
-4. Specify the following settings:
- - Protocol Type: UDP
- - Specific ports: 67
- - Remote port: any
-
-5. Specify any IP addresses.
-
-6. Allow the connection.
-
-7. Specify to use all profiles.
-
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-
-9. In the **Programs and services** tab, under the **Services** section, select **settings**.
-
-10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-
-### Why can I not launch Application Guard when Exploit Guard is enabled?
-
-There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
-
-### How can I disable portions of ICS without breaking Application Guard?
-
-ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-
-1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
-
-2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
-
-3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
-
-4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
-
-5. Reboot the device.
-
-### Why doesn't the container fully load when device control policies are enabled?
-
-Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
-
-Policy: Allow installation of devices that match any of the following device IDs:
-
-- `SCSI\DiskMsft____Virtual_Disk____`
-- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
-- `VMS_VSF`
-- `root\Vpcivsp`
-- `root\VMBus`
-- `vms_mp`
-- `VMS_VSP`
-- `ROOT\VKRNLINTVSP`
-- `ROOT\VID`
-- `root\storvsp`
-- `vms_vsmp`
-- `VMS_PP`
-
-Policy: Allow installation of devices using drivers that match these device setup classes
-- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
-
-## See also
-
-[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
new file mode 100644
index 0000000000..03baa2d537
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -0,0 +1,246 @@
+### YamlMime:FAQ
+metadata:
+ title: FAQ - Microsoft Defender Application Guard (Windows 10)
+ description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
+ ms.prod: m365-security
+ ms.mktglfcycl: manage
+ ms.sitesec: library
+ ms.pagetype: security
+ ms.localizationpriority: medium
+ author: denisebmsft
+ ms.author: deniseb
+ ms.date: 06/16/2021
+ ms.reviewer:
+ manager: dansimp
+ ms.custom: asr
+ ms.technology: mde
+
+title: Frequently asked questions - Microsoft Defender Application Guard
+summary: |
+ **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+ This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
+
+ ## Frequently Asked Questions
+
+sections:
+ - name: Frequently Asked Questions
+ questions:
+ - question: |
+ Can I enable Application Guard on machines equipped with 4-GB RAM?
+ answer: |
+ We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
+
+ `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
+
+ `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
+
+ `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
+
+ - question: |
+ My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
+ answer: |
+ The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
+
+ To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
+
+ - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
+ - It must be a FQDN. A simple IP address will not work.
+ - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
+
+ - question: |
+ Can employees download documents from the Application Guard Edge session onto host devices?
+ answer: |
+ In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
+
+ In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
+
+ - question: |
+ Can employees copy and paste between the host device and the Application Guard Edge session?
+ answer: |
+ Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
+
+ - question: |
+ Why don't employees see their favorites in the Application Guard Edge session?
+ answer: |
+ Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard).
+
+ - question: |
+ Why aren’t employees able to see their extensions in the Application Guard Edge session?
+ answer: |
+ Make sure to enable the extensions policy on your Application Guard configuration.
+
+ - question: |
+ How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
+ answer: |
+ Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+
+ - question: |
+ Which Input Method Editors (IME) in 19H1 are not supported?
+ answer: |
+ The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
+
+ - Vietnam Telex keyboard
+ - Vietnam number key-based keyboard
+ - Hindi phonetic keyboard
+ - Bangla phonetic keyboard
+ - Marathi phonetic keyboard
+ - Telugu phonetic keyboard
+ - Tamil phonetic keyboard
+ - Kannada phonetic keyboard
+ - Malayalam phonetic keyboard
+ - Gujarati phonetic keyboard
+ - Odia phonetic keyboard
+ - Punjabi phonetic keyboard
+
+ - question: |
+ I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
+ answer: |
+ This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+
+ - question: |
+ What is the WDAGUtilityAccount local account?
+ answer: |
+ WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
+
+ **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
+
+ We recommend that you do not modify this account.
+
+ - question: |
+ How do I trust a subdomain in my site list?
+ answer: |
+ To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
+
+ - question: |
+ Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
+ answer: |
+ When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
+
+ - question: |
+ Is there a size limit to the domain lists that I need to configure?
+ answer: |
+ Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
+
+ - question: |
+ Why does my encryption driver break Microsoft Defender Application Guard?
+ answer: |
+ Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+
+ - question: |
+ Why do the Network Isolation policies in Group Policy and CSP look different?
+ answer: |
+ There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
+
+ - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
+
+ - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
+
+ - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+
+ Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+
+ - question: |
+ Why did Application Guard stop working after I turned off hyperthreading?
+ answer: |
+ If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+
+ - question: |
+ Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
+ answer: |
+ Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+
+ - question: |
+ Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
+ answer: |
+ This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
+
+ - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
+ - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+
+ ### First rule (DHCP Server)
+ - Program path: `%SystemRoot%\System32\svchost.exe`
+
+ - Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
+
+ - Protocol UDP
+
+ - Port 67
+
+ ### Second rule (DHCP Client)
+ This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
+
+ 1. Right-click on inbound rules, and then create a new rule.
+
+ 2. Choose **custom rule**.
+
+ 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
+
+ 4. Specify the following settings:
+ - Protocol Type: UDP
+ - Specific ports: 67
+ - Remote port: any
+
+ 5. Specify any IP addresses.
+
+ 6. Allow the connection.
+
+ 7. Specify to use all profiles.
+
+ 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+
+ 9. In the **Programs and services** tab, under the **Services** section, select **settings**.
+
+ 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+
+ - question: |
+ Why can I not launch Application Guard when Exploit Guard is enabled?
+ answer: |
+ There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
+
+ - question: |
+ How can I disable portions of ICS without breaking Application Guard?
+ answer: |
+ ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
+
+ 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
+
+ 2. Disable IpNat.sys from ICS load as follows:
+ `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
+
+ 3. Configure ICS (SharedAccess) to enabled as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
+
+ 4. (This is optional) Disable IPNAT as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
+
+ 5. Reboot the device.
+
+ - question: |
+ Why doesn't the container fully load when device control policies are enabled?
+ answer: |
+ Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
+
+ Policy: Allow installation of devices that match any of the following device IDs:
+
+ - `SCSI\DiskMsft____Virtual_Disk____`
+ - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
+ - `VMS_VSF`
+ - `root\Vpcivsp`
+ - `root\VMBus`
+ - `vms_mp`
+ - `VMS_VSP`
+ - `ROOT\VKRNLINTVSP`
+ - `ROOT\VID`
+ - `root\storvsp`
+ - `vms_vsmp`
+ - `VMS_PP`
+
+ Policy: Allow installation of devices using drivers that match these device setup classes
+ - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
+
+additionalContent: |
+
+ ## See also
+
+ [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 9c41f91b39..83850f5a21 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices:
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
-|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
+|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index d20934b1f3..55c80b17f7 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -14,17 +14,20 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/11/2021
ms.technology: mde
---
# Access this computer from the network - security policy setting
**Applies to**
-- Windows 10
+- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016
Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
+> [!WARNING]
+> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly.
+
## Reference
The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
@@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight
- On desktop devices or member servers, grant this right only to users and administrators.
- On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
+- On failover clusters, make sure this right is granted to authenticated users.
- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead.
### Location
@@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
+If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly.
+
## Related topics
[User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 80ef49b096..1f9364ad64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st
### Deploying multiple policies via ApplicationControl CSP
-Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+
+However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+
+See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index c97df0f805..6ac3422250 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -26,6 +26,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
+> [!NOTE]
+> These event IDs are not applicable on Windows Server Core edition.
+
## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation |
@@ -41,6 +44,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
|--------|-----------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
| 8029 | Block script/MSI file |
+| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
@@ -109,7 +113,7 @@ A list of other relevant event IDs and their corresponding description.
| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
-| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
+| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. |
| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
| 3097 | The Code Integrity policy cannot be refreshed. |
| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 7a56e31130..c3a43bac96 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
-> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
+> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
+> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
## Example of file rule levels in use
@@ -137,6 +138,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
+> [!NOTE]
+> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+
## More information about hashes
### Why does scan create four hash rules per XML file?
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 417dd71e21..dc7c58f214 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -77,4 +77,16 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
\ No newline at end of file
+Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Set Object Security tool?
+
+SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
+
+Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the GPO to Policy Rules tool?
+
+Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+
+Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index c56c65dac3..70725f4a9b 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
### Windows Assessment and Deployment Toolkit (ADK)
-There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
+There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Device management
@@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
WDAG performance is improved with optimized document opening times:
- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle.
+- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
- The performance of Robocopy is improved when copying files over 400 MB in size.
### Windows Hello
@@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed:
[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.