Merge pull request #10368 from MicrosoftDocs/main

Publish main to live, Friday 10:30AM PDT, 11/01
MicrosoftDocs · Nov 1, 2024 · 490bfcd · 490bfcd
2 parents 7376c1d + 4c96da5
commit 490bfcd
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 20 deletions.
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
@@ -1,6 +1,6 @@
 ---
 title: Customize Windows PE boot images
-description: This article describes how to customize a Windows PE (WinPE) boot image including updating it with the latest cumulative update, adding drivers, and adding optional components.
+description: This article describes how to customize a Windows PE (WinPE) boot image, including updating it with the latest cumulative update, adding drivers, and adding optional components.
 ms.service: windows-client
 ms.localizationpriority: medium
 author: frankroj
@@ -23,13 +23,13 @@ appliesto:
 
 The Windows PE (WinPE) boot images that are included with the Windows ADK have a minimal number of features and drivers. However the boot images can be customized by adding drivers, optional components, and applying the latest cumulative update.
 
-Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
+Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://support.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
 
 > [!TIP]
 >
 > The boot images from the [ADK 10.1.26100.1 (May 2024)](/windows-hardware/get-started/adk-install) and later already contain the cumulative update to address the BlackLotus UEFI bootkit vulnerability.
 
-This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS).
+This walkthrough describes how to customize a Windows PE boot image, including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS).
 
 ## Prerequisites
 
@@ -332,7 +332,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
     **Example**:
 
     ```powershell
-     Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" -Path "C:\Mount" -Verbose   
+     Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" -Path "C:\Mount" -Verbose
     ```
 
     These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly.
@@ -668,7 +668,7 @@ For more information, see [copy](/windows-server/administration/windows-commands
 
 This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. When these files are updated in the Windows ADK, products that use the Windows ADK to create bootable media, such as **Microsoft Deployment Toolkit (MDT)**, also have access to the updated bootmgr boot files.
 
-In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
+In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://support.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
 
 > [!TIP]
 >
@@ -839,7 +839,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag
     ---
 
 1. Once the export has completed:
-  
+
     1. Delete the original updated boot image:
 
         ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
@@ -1295,4 +1295,4 @@ For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products
 
 - [Create bootable Windows PE media: Update the Windows PE add-on for the Windows ADK](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#update-the-windows-pe-add-on-for-the-windows-adk)
 - [Update Windows installation media with Dynamic Update: Update WinPE](/windows/deployment/update/media-dynamic-update#update-winpe)
-- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932: Updating bootable media](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d?preview=true#updatebootable5025885)
+- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932: Updating bootable media](https://support.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -65,7 +65,7 @@ See [Connected Cache node host machine requirements](mcc-ent-prerequisites.md) f
 |---|---|---|
 |Branch office|< 1 Gbps Peak| 500 Mbps => 1,800 GB </br></br> 250 Mbps => 900 GB </br></br> 100 Mbps => 360 GB </br></br> 50 Mbps => 180 GB|
 |Small to medium enterprises/Autopilot provisioning center (50 - 500 devices in a single location) |1 - 5 Gbps| 5 Gbps => 18,000 GB </br></br>3 Gbps => 10,800 GB </br></br>1 Gbps => 3,600 GB|
-|Medium to large enterprises/Autopilot provisioning center (500 - 5,000 devices in a single location) |5 - 101 Gbps Peak|   9 Gbps => 32,400 GB </br></br> 5 Gbps => 18,000 GB </br></br>3 Gbps => 10,800 GB|
+|Medium to large enterprises/Autopilot provisioning center (500 - 5,000 devices in a single location) |5 - 10 Gbps Peak|   9 Gbps => 32,400 GB </br></br> 5 Gbps => 18,000 GB </br></br>3 Gbps => 10,800 GB|
 
 ## Supported content types
 

diff --git a/windows/deployment/do/mcc-ent-prerequisites.md b/windows/deployment/do/mcc-ent-prerequisites.md
@@ -44,14 +44,12 @@ This article details the requirements and recommended specifications for using M
 - The Windows host machine must be using Windows 11 or Windows Server 2022 with the latest cumulative update applied.
     - Windows 11 must have [OS Build 22631.3296](https://support.microsoft.com/topic/march-12-2024-kb5035853-os-builds-22621-3296-and-22631-3296-a69ac07f-e893-4d16-bbe1-554b7d9dd39b) or later
     - Windows Server 2022 must have [OS Build 20348.2227](https://support.microsoft.com/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a) or later
-
-- The Windows host machine must support nested virtualization.
+- The Windows host machine must support nested virtualization. Ensure that any security settings that may restrict nested virtualization are not enabled, such as ["Trusted launch" in Azure VMs](/azure/virtual-machines/trusted-launch-portal).
 - The Windows host machine must have [WSL 2 installed](/windows/wsl/install#install-wsl-command). You can install this on Windows 11 and Windows Server 2022 by running the PowerShell command `wsl.exe --install --no-distribution`.
 
 ### Additional requirements for Linux host machines
 
 - The Linux host machine must be using one of the following operating systems:
-
     - Ubuntu 22.04
     - Red Hat Enterprise Linux (RHEL) 8.* or 9.*
         - If using RHEL, the default container engine (Podman) must be replaced with [Moby](https://github.com/moby/moby#readme)

diff --git a/...application-security/application-control/app-control-for-business/appcontrol.md b/...application-security/application-control/app-control-for-business/appcontrol.md
@@ -43,15 +43,6 @@ Smart App Control is only available on clean installation of Windows 11 version
 > [!IMPORTANT]
 > Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
 
-### Smart App Control Enforced Blocks
-
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-appcontrol.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
-
-- Infdefaultinstall.exe
-- Microsoft.Build.dll
-- Microsoft.Build.Framework.dll
-- Wslhost.dll
-
 [!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)]
 
 ## Related articles