From 4b305aed198892b27a12d2bba52a5e678980d150 Mon Sep 17 00:00:00 2001
From: Andrea Allievi <aall86@gmail.com>
Date: Tue, 17 Sep 2024 08:58:12 -0700
Subject: [PATCH 1/5]  Add a brief explanation of the VBS Mandatory mode

Update the public documentation to include VBS Mandatory mode
---
 ...rtualization-based-protection-of-code-integrity.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a5cd24d3c96..a475864ad78 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -61,7 +61,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
 
 ### Use registry keys to enable memory integrity
 
-Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
+Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
 
 > [!IMPORTANT]
 >
@@ -95,7 +95,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-**To enable VBS with Secure Boot and DMA (value 3)**
+**To enable VBS with Secure Boot and DMA protection (value 3)**
 
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
@@ -131,6 +131,13 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
 ```
 
+**To enable VBS (and memory integrity) in mandatory mode**
+
+```console
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
+```
+The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console
 reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f

From f4c1c7bd94b69a890bcc52fafd792fe5c073a43f Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Tue, 17 Sep 2024 09:25:30 -0700
Subject: [PATCH 2/5] Pulling for Resolve policy conflicts revamp

---
 windows/deployment/windows-autopatch/TOC.yml             | 9 ++-------
 .../overview/windows-autopatch-overview.md               | 2 +-
 .../whats-new/windows-autopatch-whats-new-2024.md        | 1 -
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 77dee52f849..30052f52918 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -118,13 +118,8 @@
                   href: monitor/windows-autopatch-reliability-report.md
             - name: Windows feature and quality update device alerts
               href: monitor/windows-autopatch-device-alerts.md
-        - name: Policy health
-          href:
-          items:
-            - name: Policy health and remediation
-              href: monitor/windows-autopatch-policy-health-and-remediation.md
-            - name: Resolve policy conflicts
-              href: monitor/windows-autopatch-resolve-policy-conflicts.md
+        - name: Policy health and remediation
+          href: monitor/windows-autopatch-policy-health-and-remediation.md
         - name: Maintain the Windows Autopatch environment
           href: monitor/windows-autopatch-maintain-environment.md
     - name: References
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 895f352119d..56b1ee39cfb 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -63,7 +63,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
 | [Microsoft 365 Apps for enterprise updates](../manage/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
 | [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
 | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
-| Policy health |<ul><li>[Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md)</li><ul><li>When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service.</li></ul></ul><ul><li>[Resolve policy conflicts](../monitor/windows-autopatch-resolve-policy-conflicts.md)</li><ul><li>o	When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. With the Resolve policy conflicts feature, you can review the policies and their settings and manually resolve these conflicts.</li></ul><ul> |
+| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
 | Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
 | [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
 
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index b75a4920013..8f27de3c27f 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -36,7 +36,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 | Article | Description |
 | ----- | ----- |
 | [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the [Reliability report](../operate/windows-autopatch-reliability-report.md) feature |
-| [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) | Added the [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) feature |
 
 ## February 2024
 

From 3ff03435844d867cb61088bd1dbd97b0458c6580 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 17 Sep 2024 11:23:33 -0600
Subject: [PATCH 3/5] Update
 windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

---
 ...ble-virtualization-based-protection-of-code-integrity.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a475864ad78..b9a587d0b82 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -136,7 +136,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
 ```
-The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+
+The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
+
+> [!IMPORTANT]
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
 
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console

From 5731ebc30f48c9d479d229676941511abb1a20ff Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 19 Sep 2024 13:44:40 -0600
Subject: [PATCH 4/5] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index b9a587d0b82..d8f4c55cfc6 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -140,7 +140,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t RE
 The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
 
 > [!IMPORTANT]
-> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
 
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console

From 60c822f01b3accf63afe730e23c71ec9624f2e5b Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 19 Sep 2024 14:23:44 -0600
Subject: [PATCH 5/5] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index d8f4c55cfc6..b686fb205c3 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -137,7 +137,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
 ```
 
-The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
+The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
 
 > [!IMPORTANT]
 > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.