diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml
index 5661ce3fba..0533a4dcb2 100644
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@@ -1,161 +1,93 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
-documentType: LandingData
-
-title: Microsoft Edge Legacy Group Policy configuration options
+title: Microsoft Edge Group Legacy Policy configuration options # < 60 chars
+summary: Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. # < 160 chars
metadata:
-
- title: Microsoft Edge Group Legacy Policy configuration options
-
- description:
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
-
+ title: Microsoft Edge Group Legacy Policy configuration options # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. # Required; article description that is displayed in search results. < 160 chars.
+ ms.prod: microsoft-edge
keywords: Microsoft Edge Legacy, Windows 10
-
ms.localizationpriority: medium
-
- author: shortpatti
-
- ms.author: pashort
-
- ms.date: 08/09/2018
-
- ms.topic: article
-
- ms.devlang: na
-
-sections:
-
-- title:
-
-- items:
-
- - type: markdown
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions.
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsE
-
- columns: 3
-
- items:
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/change-history-for-microsoft-edge
-
- html: Learn more about the latest group policies and features added to Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_whats-new.svg
-
- title: What's new
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge
-
- html: Learn about the system requirements and language support for Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_overview.svg
-
- title: System requirements and supported languages
-
- - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare
-
- html: Learn about the supported features & functionality in each Windows edition.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_config-tools.svg
-
- title: Compare Windows 10 Editions
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp
-
- html: Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_security-management.svg
-
- title: Security & protection
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
-
- html: Learn how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_management.svg
-
- title: Interoperability & enterprise guidance
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index
-
- html: Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_policy.svg
-
- title: Group policies & configuration options
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsL
-
- items:
-
- - title: Microsoft Edge resources
-
- html: Minimum system requirements
-
- Supported languages
-
- Document change history
-
- Compare Windows 10 Editions
-
- Microsoft Edge Dev blog
-
- Microsoft Edge Dev on Twitter
-
- Microsoft Edge changelog
-
- Measuring the impact of Microsoft Edge
-
- - title: IE11 resources
-
- html: Deploy Internet Explorer 11 (IE11) - IT Pros
-
- Internet Explorer Administration Kit 11 (IEAK 11)
-
- Download Internet Explorer 11
-
- - title: Additional resources
-
- html: Group Policy and the Group Policy Management Console (GPMC)
-
- Group Policy and the Local Group Policy Editor
-
- Group Policy and the Advanced Group Policy Management (AGPM)
-
- Group Policy and Windows PowerShell
-
-
-
-
-
-
+ ms.topic: landing-page # Required
+ ms.collection: collection # Optional; Remove if no collection is used.
+ author: shortpatti #Required; your GitHub user alias, with correct capitalization.
+ ms.author: pashort #Required; microsoft alias of author; optional team alias.
+ ms.date: 07/07/2020 #Required; mm/dd/yyyy format.
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: About Microsoft Edge
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: /DeployEdge
+ - text: Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+ - text: Latest group policies and features added to Microsoft Edge
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - linkListType: overview
+ links:
+ - text: System requirements and supported languages
+ url: /microsoft-edge/deploy/about-microsoft-edge
+ - text: Compare Windows 10 editions
+ url: https://www.microsoft.com/en-us/WindowsForBusiness/Compare
+ - text: Security & protection
+ url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp
+ - text: Interoperability & enterprise guidance
+ url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
+ - text: Group policies & configuration options
+ url: /microsoft-edge/deploy/group-policies/
+
+ # Card (optional)
+ - title: Microsoft Edge resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Minimum system requirements
+ url: /microsoft-edge/deploy/about-microsoft-edge#minimum-system-requirements
+ - text: Supported languages
+ url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages
+ - text: Document change history
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages
+ - text: Microsoft Edge changelog
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - text: Measuring the impact of Microsoft Edge
+ url: https://blogs.windows.com/msedgedev
+
+ # Card (optional)
+ - title: IE11 resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Deploy Internet Explorer 11 (IE11) - IT Pros
+ url: https://go.microsoft.com/fwlink/p/?LinkId=760644
+ - text: Internet Explorer Administration Kit 11 (IEAK 11)
+ url: /internet-explorer/ie11-ieak
+ - linkListType: download
+ links:
+ - text: Download Internet Explorer 11
+ url: https://go.microsoft.com/fwlink/p/?linkid=290956
+
+ # Card (optional)
+ - title: Additional resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Group Policy and the Group Policy Management Console (GPMC)
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617921
+ - text: Group Policy and the Local Group Policy Editor
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617922
+ - text: Group Policy and the Advanced Group Policy Management (AGPM)
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617923
+ - text: Group Policy and Windows PowerShell
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617924
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 8249262926..d906bfc6ce 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -15,6 +15,8 @@ ms.date: 01/17/2020
---
# Deploy Microsoft Edge Legacy kiosk mode
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
> Professional, Enterprise, and Education
diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml
index 2b47ccaaf7..797d881911 100644
--- a/browsers/edge/microsoft-edge.yml
+++ b/browsers/edge/microsoft-edge.yml
@@ -1,60 +1,144 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
+
+title: Microsoft Edge Legacy # < 60 chars
+summary: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # < 160 chars
-documentType: LandingData
-title: Microsoft Edge
metadata:
- title: Microsoft Edge
- description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
+ title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories
+ ms.prod: edge
ms.localizationpriority: medium
author: lizap
ms.author: elizapo
manager: dougkim
- ms.topic: article
+ ms.topic: landing-page
ms.devlang: na
+ ms.date: 08/19/2020 #Required; mm/dd/yyyy format.
-sections:
-- items:
- - type: markdown
- text: "
- Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
- "
-- title: What's new
-- items:
- - type: markdown
- text: "
- Find out the latest and greatest news on Microsoft Edge.
- 
**The latest in Microsoft Edge**
See what's new for users and developers in the next update to Microsoft Edge - now available with the Windows 10 April 2018 update!
Find out more | 
**Evaluate the impact**
Review the latest Forrester Total Economic Impact (TEI) report to learn about the impact Microsoft Edge can have in your organization.
Download the reports |
**Microsoft Edge for iOS and Android**
Microsoft Edge brings familiar features across your PC and phone, which allows browsing to go with you, no matter what device you use.
Learn more | 
**Application Guard**
Microsoft Edge with Windows Defender Application Guard is the most secure browser on Windows 10 Enterprise.
Learn more |
-
- "
-- title: Compatibility
-- items:
- - type: markdown
- text: "
- Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.
-
- "
-- title: Security
-- items:
- - type: markdown
- text: "
- Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
- 
**NSS Labs web browser security reports**
See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.
Download the reports | 
**Microsoft Edge sandbox**
See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Find out more | 
**Windows Defender SmartScreen**
Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.
Read the docs |
-
- "
-- title: Deployment and end user readiness
-- items:
- - type: markdown
- text: "
- Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.
-
- "
-- title: Stay informed
-- items:
- - type: markdown
- text: "
- 
**Sign up for the Windows IT Pro Insider**
Get the latest tools, tips, and expert guidance on deployment, management, security, and more.
Learn more | 
**Microsoft Edge Dev blog**
Keep up with the latest browser trends, security tips, and news for IT professionals.
Read the blog | 
**Microsoft Edge Dev on Twitter**
Get the latest news and updates from the Microsoft Web Platform team.
Visit Twitter |
-
- "
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: https://docs.microsoft.com/DeployEdge/
+ - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+ - text: The latest in Microsoft Edge
+ url: https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97
+ - text: Microsoft Edge for iOS and Android
+ url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android
+ - text: Application Guard
+ url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
+ - linkListType: download
+ links:
+ - text: Evaluate the impact
+ url: /microsoft-edge/deploy/microsoft-edge-forrester
+
+ # Card (optional)
+ - title: Test your site on Microsoft Edge
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Test your site on Microsoft Edge for free on BrowserStack
+ url: https://developer.microsoft.com/microsoft-edge/tools/remote/
+ - text: Use sonarwhal to improve your website
+ url: https://sonarwhal.com/
+
+ # Card (optional)
+ - title: Improve compatibility with Enterprise Mode
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Use Enterprise mode to improve compatibility
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+ - text: Turn on Enterprise Mode and use a site list
+ url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
+ - text: Enterprise Site List Portal
+ url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
+
+ # Card (optional)
+ - title: Web Application Compatibility Lab Kit
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+
+ # Card (optional)
+ - title: Security
+ linkLists:
+ - linkListType: download
+ links:
+ - text: NSS Labs web browser security reports
+ url: https://www.microsoft.com/download/details.aspx?id=54773
+ - linkListType: overview
+ links:
+ - text: Microsoft Edge sandbox
+ url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
+ - text: Windows Defender SmartScreen
+ url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
+
+ # Card (optional)
+ - title: Deployment
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Microsoft Edge deployment guide
+ url: /microsoft-edge/deploy/
+ - text: Microsoft Edge FAQ
+ url: /microsoft-edge/deploy/microsoft-edge-faq
+ - text: System requirements and language support
+ url: /microsoft-edge/deploy/hardware-and-software-requirements
+ - text: Group Policy and MDM settings in Microsoft Edge
+ url: /microsoft-edge/deploy/available-policies
+ - text: Microsoft Edge training and demonstrations
+ url: /microsoft-edge/deploy/edge-technical-demos
+ - linkListType: download
+ links:
+ - text: Web Application Compatibility Lab Kit
+ url: https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit
+
+ # Card (optional)
+ - title: End user readiness
+ linkLists:
+ - linkListType: video
+ links:
+ - text: Microsoft Edge tips and tricks (video, 20:26)
+ url: https://myignite.microsoft.com/sessions/56630?source=sessions
+ - linkListType: download
+ links:
+ - text: Quick Start - Microsoft Edge (PDF, .98 MB)
+ url: https://go.microsoft.com/fwlink/?linkid=825648
+ - text: Find it faster with Microsoft Edge (PDF, 605 KB)
+ url: https://go.microsoft.com/fwlink/?linkid=825661
+ - text: Use Microsoft Edge to collaborate (PDF, 468 KB)
+ url: https://go.microsoft.com/fwlink/?linkid=825653
+ - text: Group Policy and MDM settings in Microsoft Edge
+ url: /microsoft-edge/deploy/available-policies
+ - text: Microsoft Edge training and demonstrations
+ url: /microsoft-edge/deploy/edge-technical-demos
+ - linkListType: how-to-guide
+ links:
+ - text: Import bookmarks
+ url: https://microsoftedgetips.microsoft.com/2/39
+ - text: Password management
+ url: https://microsoftedgetips.microsoft.com/2/18
+
+ # Card (optional)
+ - title: Stay informed
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Sign up for the Windows IT Pro Insider
+ url: https://aka.ms/windows-it-pro-insider
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: https://twitter.com/MSEdgeDev
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 50208546bb..576a1de28f 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -7,6 +7,7 @@
"**/*.yml"
],
"exclude": [
+ "**/includes/**",
"**/obj/**"
]
}
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 8fe62f2f79..f09832c403 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,49 +1,53 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: How to use Group Policy to install ActiveX controls.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy and ActiveX installation
-
-ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
-
-- Get the ActiveX control if it's not already installed.
-
-- Download the installation package.
-
-- Perform trust verification on the object.
-
-- Prompt for installation permission, using the IE Information Bar.
-
-During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
-
-**Important**
ActiveX control installation requires administrator-level permissions.
-
-## Group Policy for the ActiveX Installer Service
-
-You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
-
-- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
-
-- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
-
-For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: How to use Group Policy to install ActiveX controls.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Group Policy and ActiveX installation
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
+
+- Get the ActiveX control if it's not already installed.
+
+- Download the installation package.
+
+- Perform trust verification on the object.
+
+- Prompt for installation permission, using the IE Information Bar.
+
+During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
+
+**Important**
ActiveX control installation requires administrator-level permissions.
+
+## Group Policy for the ActiveX Installer Service
+
+You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
+
+- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
+
+- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
+
+For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
index 664bc596e1..455bae28bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to add employees to the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Add employees to the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
-
-The available roles are:
-
-- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
-
-- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
-
-**To add an employee to the Enterprise Mode Site List Portal**
-1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
-
- The **Employee management** page appears.
-
-2. Click **Add a new employee**.
-
- The **Add a new employee** page appears.
-
-3. Fill out the fields for each employee, including:
-
- - **Email.** Add the employee's email address.
-
- - **Name.** This box autofills based on the email address.
-
- - **Role.** Pick a single role for the employee, based on the list above.
-
- - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
-
- - **Comments.** Add optional comments about the employee.
-
- - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-**To export all employees to an Excel spreadsheet**
-1. On the **Employee management** page, click **Export to Excel**.
-
-2. Save the EnterpriseModeUsersList.xlsx file.
-
- The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to add employees to the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Add employees to the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
+
+The available roles are:
+
+- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
+
+- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
+
+**To add an employee to the Enterprise Mode Site List Portal**
+1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
+
+ The **Employee management** page appears.
+
+2. Click **Add a new employee**.
+
+ The **Add a new employee** page appears.
+
+3. Fill out the fields for each employee, including:
+
+ - **Email.** Add the employee's email address.
+
+ - **Name.** This box autofills based on the email address.
+
+ - **Role.** Pick a single role for the employee, based on the list above.
+
+ - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
+
+ - **Comments.** Add optional comments about the employee.
+
+ - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
+
+4. Click **Save**.
+
+**To export all employees to an Excel spreadsheet**
+1. On the **Employee management** page, click **Export to Excel**.
+
+2. Save the EnterpriseModeUsersList.xlsx file.
+
+ The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 8ead60630e..57c8991c7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,112 +1,116 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
-
-If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time. **Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-Each XML file must include:
-
-- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
-
-- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-```
-
-
- www.cpandl.com
- www.woodgrovebank.com
- adatum.com
- contoso.com
- relecloud.com
- /about
-
- fabrikam.com
- /products
-
-
-
- contoso.com
- /travel
-
- fabrikam.com
- /products
-
-
-
-```
-
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
+
+If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+
+## Create an Enterprise Mode site list (TXT) file
+You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+
+You must separate each site using commas or carriage returns. For example:
+
+```
+microsoft.com, bing.com, bing.com/images
+```
+**-OR-**
+
+```
+microsoft.com
+bing.com
+bing.com/images
+```
+
+## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
+You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+Each XML file must include:
+
+- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
+
+- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
+
+- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+### Enterprise Mode v.1 XML schema example
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+```
+
+
+ www.cpandl.com
+ www.woodgrovebank.com
+ adatum.com
+ contoso.com
+ relecloud.com
+ /about
+
+ fabrikam.com
+ /products
+
+
+
+ contoso.com
+ /travel
+
+ fabrikam.com
+ /products
+
+
+
+```
+
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
+
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
+
+ **To add multiple sites**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
+
+2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+4. On the **File** menu, click **Save to XML**, and save your file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 78f0903d6f..37ef55dea6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 10/24/2017
---
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 8b8435daff..8c5e4b4426 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,66 +1,70 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
-
-
Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager.
-
-## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
-
Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool.
-
-4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
-
-The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
-
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-5. Click **Save** to validate your website and to add it to the site list for your enterprise.
- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
+
+
Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager.
+
+## Adding a site to your compatibility list
+You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
+
Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
+
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
+
+2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
+Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. Type any comments about the website into the **Notes about URL** box.
+Administrators can only see comments while they’re in this tool.
+
+4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
+
+The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
+
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+5. Click **Save** to validate your website and to add it to the site list for your enterprise.
+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
+
+6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 0977b87b94..63f0d7bd6f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 07/27/2017
---
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index f08c08fcdb..23bb9ee14a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,82 +1,86 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Administrative templates and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Administrative templates and Internet Explorer 11
-
-Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
-
-- What registry locations correspond to each setting.
-
-- What value options or restrictions are associated with each setting.
-
-- The default value for many settings.
-
-- Text explanations about each setting and the supported version of Internet Explorer.
-
-For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
-
-## What are Administrative Templates?
-Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
-
-- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
-
-- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
-
-## How do I store Administrative Templates?
-As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
-
Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
-
-## Administrative Templates-related Group Policy settings
-When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
-
Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
-
-IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
-
-- Computer Configuration\\Administrative Templates\\Windows Components\\
-
-- User Configuration\\Administrative Templates\\Windows Components\\
-
-
-|Catalog |Description |
-| ------------------------------------------------ | --------------------------------------------|
-|IE |Turns standard IE configuration on and off. |
-|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
-|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
-|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
-|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
-|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
-|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
-|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
-|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
-|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
-|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
-|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
-|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
-|RSS Feeds |Sets up and manages RSS feeds in the browser. |
-
-
-## Editing Group Policy settings
-Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
-
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
-
-## Related topics
-- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
-- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Administrative templates and Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Administrative templates and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
+
+- What registry locations correspond to each setting.
+
+- What value options or restrictions are associated with each setting.
+
+- The default value for many settings.
+
+- Text explanations about each setting and the supported version of Internet Explorer.
+
+For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
+
+## What are Administrative Templates?
+Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
+
+- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
+
+- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
+
+## How do I store Administrative Templates?
+As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
+
Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
+
+## Administrative Templates-related Group Policy settings
+When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
+
Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
+
+IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
+
+- Computer Configuration\\Administrative Templates\\Windows Components\\
+
+- User Configuration\\Administrative Templates\\Windows Components\\
+
+
+|Catalog |Description |
+| ------------------------------------------------ | --------------------------------------------|
+|IE |Turns standard IE configuration on and off. |
+|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
+|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
+|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
+|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
+|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
+|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
+|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
+|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
+|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
+|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
+|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
+|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
+|RSS Feeds |Sets up and manages RSS feeds in the browser. |
+
+
+## Editing Group Policy settings
+Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
+
+- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
+
+- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
+
+## Related topics
+- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
+- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
index 977e17394e..07687792a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Approve a change request using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
-
-## Approve or reject a change request
-The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
-
-**To approve or reject a change request**
-1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
-
- The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
-
-2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
-
-3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
-
- An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
-
-
-## Send a reminder to the Approver(s) group
-If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
-
-- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
-
- An email is sent to the selected Approver(s).
-
-
-## View rejected change requests
-The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
-
-**To view the rejected change request**
-
-- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
-
- All rejected change requests appear, with role assignment determining which ones are visible.
-
-
-## Next steps
-After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Approve a change request using the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
+
+## Approve or reject a change request
+The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
+
+**To approve or reject a change request**
+1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
+
+ The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
+
+2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
+
+3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
+
+ An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
+
+
+## Send a reminder to the Approver(s) group
+If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
+
+- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
+
+ An email is sent to the selected Approver(s).
+
+
+## View rejected change requests
+The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
+
+**To view the rejected change request**
+
+- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
+
+ All rejected change requests appear, with role assignment determining which ones are visible.
+
+
+## Next steps
+After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index d45374e404..7dbfc19776 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration and auto proxy problems with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration and auto proxy problems with Internet Explorer 11
-You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
-
-## Branding changes aren't distributed using automatic configuration
-If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
-
-## Proxy server setup issues
-If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
-
-- Check to make sure the proxy server address is right.
-
-- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
-
-- Check that the browser is pointing to the right automatic configuration script location.
-
- **To check your proxy server address**
-
-1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
-
-2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
-
-3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
-
- **To check that you've turned on the correct settings**
-
-4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-5. Click **Settings** or **LAN Settings**.
-
-6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-
- **To check that you're pointing to the correct automatic configuration script location**
-
-7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-8. Click **Settings** or **LAN Settings**.
-
-9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration and auto proxy problems with Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration and auto proxy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
+
+## Branding changes aren't distributed using automatic configuration
+If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
+
+## Proxy server setup issues
+If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
+
+- Check to make sure the proxy server address is right.
+
+- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
+
+- Check that the browser is pointing to the right automatic configuration script location.
+
+ **To check your proxy server address**
+
+1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
+
+2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
+
+3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
+
+ **To check that you've turned on the correct settings**
+
+4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+5. Click **Settings** or **LAN Settings**.
+
+6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
+
+ **To check that you're pointing to the correct automatic configuration script location**
+
+7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+8. Click **Settings** or **LAN Settings**.
+
+9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 1b9a0ba9c8..82857ac50e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,74 +1,78 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration settings for Internet Explorer 11
-Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-## Adding the automatic configuration registry key
-For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-
- **To add the registry key**
-
-1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
-
-2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
-
-3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
-
-4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
-
-5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
-
-6. Right-click **iexplore.exe**, and then click **Modify**.
-
-7. In the **Value data** box, enter **1**, and then click **OK**.
-
-8. Exit the registry editor.
-
-## Updating your automatic configuration settings
-After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
-
Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
-
- **To update your settings**
-
-1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
-
-## Locking your automatic configuration settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+## Adding the automatic configuration registry key
+For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
+
+ **To add the registry key**
+
+1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
+
+2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
+
+3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
+
+4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
+
+5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
+
+6. Right-click **iexplore.exe**, and then click **Modify**.
+
+7. In the **Value data** box, enter **1**, and then click **OK**.
+
+8. Exit the registry editor.
+
+## Updating your automatic configuration settings
+After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
+
Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
+
+ **To update your settings**
+
+1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
+
+## Locking your automatic configuration settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index 6d58aac85b..3e2c898988 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,55 +1,59 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto detect settings Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto detect settings Internet Explorer 11
-After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
-
-Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
-
-- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
-- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
-
-## Updating your automatic detection settings
-To use automatic detection, you have to set up your DHCP and DNS servers.
**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-
- **To turn on automatic detection for DHCP servers**
-
-1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-
- **To turn on automatic detection for DNS servers**
-
-4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
-
-6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
-
-7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto detect settings Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto detect settings Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
+
+Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
+
+- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
+
+- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
+
+## Updating your automatic detection settings
+To use automatic detection, you have to set up your DHCP and DNS servers.
**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
+
+ **To turn on automatic detection for DHCP servers**
+
+1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
+
+ **To turn on automatic detection for DNS servers**
+
+4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
+
+6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
+
+7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index bd7bd5c030..f285933bcb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,50 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto proxy configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto proxy configuration settings for Internet Explorer 11
-Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
-
-## Updating your auto-proxy settings
-You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
-
- **To update your settings**
-
-1. Create a script file with your proxy information, copying it to a server location.
-
-2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-## Locking your auto-proxy settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto proxy configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto proxy configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
+
+## Updating your auto-proxy settings
+You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
+
+ **To update your settings**
+
+1. Create a script file with your proxy information, copying it to a server location.
+
+2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.
**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+## Locking your auto-proxy settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
index 12bd5502e3..17f6488e0a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
@@ -1,43 +1,47 @@
----
-title: Blocked out-of-date ActiveX controls
-description: This page is periodically updated with new ActiveX controls blocked by this feature.
-author: dansimp
-ms.author: dansimp
-audience: itpro
manager: dansimp
-ms.date: 05/10/2018
-ms.topic: article
-ms.prod: ie11
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.assetid: ''
-ms.reviewer:
-ms.sitesec: library
----
-
-# Blocked out-of-date ActiveX controls
-
-ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
-
-We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
-
-You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
-
-**Java**
-
-| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
-|----------------------------------------------------------------------------------------------|
-| J2SE 5.0, everything below (but not including) update 99 |
-| Java SE 6, everything below (but not including) update 181 |
-| Java SE 7, everything below (but not including) update 171 |
-| Java SE 8, everything below (but not including) update 161 |
-| Java SE 9, everything below (but not including) update 4 |
-
-**Silverlight**
-
-
-| Everything below (but not including) Silverlight 5.1.50907.0 |
-|--------------------------------------------------------------|
-| |
-
-For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
+---
+title: Blocked out-of-date ActiveX controls
+description: This page is periodically updated with new ActiveX controls blocked by this feature.
+author: dansimp
+ms.author: dansimp
+audience: itpro
+manager: dansimp
+ms.date: 05/10/2018
+ms.topic: article
+ms.prod: ie11
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+ms.assetid: ''
+ms.reviewer:
+ms.sitesec: library
+---
+
+# Blocked out-of-date ActiveX controls
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
+
+We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
+
+You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
+
+**Java**
+
+| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
+|----------------------------------------------------------------------------------------------|
+| J2SE 5.0, everything below (but not including) update 99 |
+| Java SE 6, everything below (but not including) update 181 |
+| Java SE 7, everything below (but not including) update 171 |
+| Java SE 8, everything below (but not including) update 161 |
+| Java SE 9, everything below (but not including) update 4 |
+
+**Silverlight**
+
+
+| Everything below (but not including) Silverlight 5.1.50907.0 |
+|--------------------------------------------------------------|
+| |
+
+For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index fe61c67cf5..9aca832f3e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,38 +1,42 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: performance
-description: Browser cache changes and roaming profiles
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/16/2017
----
-
-
-# Browser cache changes and roaming profiles
-We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
-
-To get the best results while using roaming profiles, we strongly recommend the following:
-
-- Create a separate roaming repository for each domain account that uses roaming.
-
-- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
-
-- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
-
-- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: performance
+description: Browser cache changes and roaming profiles
+author: dansimp
+ms.prod: ie11
+ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/16/2017
+---
+
+
+# Browser cache changes and roaming profiles
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
+
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+
+To get the best results while using roaming profiles, we strongly recommend the following:
+
+- Create a separate roaming repository for each domain account that uses roaming.
+
+- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
+
+- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
+
+- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index d3cae2a67a..f358312bbc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,56 +1,60 @@
----
-ms.localizationpriority: medium
-title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
-ms.mktglfcycl: deploy
-ms.prod: ie11
-ms.sitesec: library
-author: dansimp
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-
-# Change history for Internet Explorer 11
-This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
-
-## April 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
-
-## March 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
-
-## November 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
-
-## August 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
-
-## July 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
-
-## June 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
-
-
-## May 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
-
+---
+ms.localizationpriority: medium
+title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
+ms.mktglfcycl: deploy
+ms.prod: ie11
+ms.sitesec: library
+author: dansimp
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+
+# Change history for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+
+## April 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
+
+## March 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
+
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
+
+## August 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
+
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
+
+
+## May 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 0b2d9ff141..9b4b3e6f1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,51 +1,55 @@
----
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: medium
----
-
-
-# Check for a new Enterprise Mode site list xml file
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
-
-**How Internet Explorer 11 looks for an updated site list**
-
-1. Internet Explorer starts up and looks for an updated site list in the following places:
-
- 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
-
- 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
-
- 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
-
-2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-
-
-
-
-
-
-
-
+---
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: ie11
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+ms.sitesec: library
+author: dansimp
+ms.author: dansimp
+ms.date: 08/14/2017
+ms.localizationpriority: medium
+---
+
+
+# Check for a new Enterprise Mode site list xml file
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
+
+**How Internet Explorer 11 looks for an updated site list**
+
+1. Internet Explorer starts up and looks for an updated site list in the following places:
+
+ 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
+
+ 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
+
+ 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
+
+2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index c35d115df7..810264c501 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to deploy Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to deploy Internet Explorer 11 (IE11)
-In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
-
-## In this section
-
-| Topic | Description |
-|------------------------------------------------------------- | ------------------------------------------------------ |
-|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
-|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to deploy Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to deploy Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
+
+## In this section
+
+| Topic | Description |
+|------------------------------------------------------------- | ------------------------------------------------------ |
+|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
+|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 563f38160c..72a5766494 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to install Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to install Internet Explorer 11 (IE11)
-Before you install Internet Explorer 11, you should:
-
-- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
-
-- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
-
-- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
-
-- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
-
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
- - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to install Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to install Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Before you install Internet Explorer 11, you should:
+
+- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
+
+- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
+
+- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
+
+- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
+
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+ - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 12049fdcb9..0ffe059374 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Collect data using Enterprise Site Discovery
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
index d01fccf729..db62af6aab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index 278408ab38..ad4441c9e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Create a change request using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 6c260e93aa..395703b43d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create packages for multiple operating systems or languages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll create multiple versions of your custom browser package if:
- You support more than 1 version of Windows®.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index fc43585ae7..342b139714 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Internet Explorer 11 installation packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files.
|Topic |Description |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index b2c4c0f80a..843d917596 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index b9089ee16a..0f0c56de35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
---
# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
## What is Automatic Version Synchronization?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index dc31c3230e..c3940fbefd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Deploy Internet Explorer 11 using software distribution tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 567b8fbeb8..0177418299 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index f0f44c2897..e8d1ec3d7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deprecated document modes and Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 8ad5f3e6ad..29574ab860 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index cb419efe7f..e21f3e41ed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 4/12/2018
# Enable and disable add-ons using administrative templates and group policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
There are four types of add-ons:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index d0998607dc..7f00307378 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Enhanced Protected Mode problems with Internet Explorer
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on.
You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 71104a8786..e5e3c31095 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 09160baadd..6832c2797b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode schema v.1 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index a321e5a744..299c6c093f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Enterprise Mode schema v.2 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index cf235b25aa..ce2f14b162 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index f1d72eb1a1..a5abdb8400 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Fix web compatibility issues using document modes and the Enterprise Mode site list
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps.
## What does this mean for me?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index c3c7ead8ff..54da1d4ba1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Fix validation problems using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index d2fadc609c..93486e7113 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures.
From AGPM you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index df5754f0b6..e1e763af4c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.
## Why use the GPMC?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index d80c5af350..7e8c419582 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Group Policy and Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 4ca3868ed5..dce572d812 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Local Group Policy Editor, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
index 8a5b6d7859..12b360b126 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
|Activity |Location |Setting the policy object |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 403471f4c7..3eafec01ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy management tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model.
By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index ae5c5f783e..938e3e036e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group policy preferences and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy preferences are less strict than Group Policy settings, based on:
| |Group Policy preferences |Group Policy settings |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index d94601a9d5..26cf3ae659 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
## Group Policy Object-related Log Files
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index 1f0caf9bc3..cd9e8a1740 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Shortcut Extensions, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to:
- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 2de349942d..6f57e982ec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Windows Powershell, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell.
Each cmdlet is a single-function command-line tool that can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index 9fe7dca247..edcb50cb9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -17,6 +17,9 @@ ms.date: 05/22/2018
---
# Internet Explorer 11 delivery through automatic updates
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 6b34fcc195..30de0a2c97 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -11,6 +11,9 @@ ms.author: dansimp
# Full-sized flowchart detailing how document modes are chosen in IE11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index 5ab9dd5e58..f585e3210d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 74f09e116d..c40ba230ff 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer 11 (IE11) - Deployment Guide for IT Pros
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index e9fcf44f0e..47a4d07569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install and Deploy Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 7dd92ecc08..027cf25129 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Intune
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
## Adding and deploying the IE11 package
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 5dade69199..c6bd4e15e8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images.
You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 2b40174159..e08ca5dffe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
**To install IE11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 9da3cd91fa..d0d9d17be1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using your network
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11).
**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index 5d230773e3..d593de27c6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using third-party tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options:
## Setup Modes
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 62bfab42b9..662514e102 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
**To import from Windows Update to WSUS**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 3ebe727aeb..3e6ffbfad8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems.
If you do, you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index 16331ab49c..803fc7fb83 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix intranet search problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site.
## Why is my intranet redirecting me to search results?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 2270749c81..66b29a20c4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Manage Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index c0087953b7..e0dbd2bdab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing Internet Explorer Maintenance settings for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index fbc40cbf73..faa927931e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing the Compatibility View Button
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 31261bbf7e..6c68a1ec01 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# .NET Framework problems with Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
## Summary
If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 65e099eb37..9b8ab9eb33 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# New group policy settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 5591606f32..a2f12352fd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Out-of-date ActiveX control blocking
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -105,7 +108,10 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe
```
Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
-## Out-of-date ActiveX control blocking on managed devices
+## Out-of-date ActiveX control blocking
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ on managed devices
Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
### Group Policy settings
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 80a59c9305..fbcbcbadb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Problems after installing Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them.
## Internet Explorer is in an unusable state
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index df8a2b1707..4c973ffad6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 4995a12e9a..f30c495bb3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local compatibility view list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index c9b859509b..93b323b78a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local Enterprise Mode site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
index bb22b43b3f..acfe82d2a5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -17,6 +17,9 @@ ms.date: 04/02/2020
# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 28b18117e1..7b80dd178d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Save your site list to XML in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 4565b9f0c1..4d5e66ec80 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Schedule approved change requests for production using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 0f35b04d1c..f96a952626 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index b6c1af8258..6edccdda73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Set the default browser using Group Policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
**To set the default browser as Internet Explorer 11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index fd55a40ebd..94f9336c89 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Set up Enterprise Mode logging and data collection
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index 7b0dd491aa..c022c08569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Set up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 7dd3e837c0..70d197c391 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Setup problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder):
- `IE11_main.log`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index a8953ad3f4..37b7bc16cf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# System requirements and language support for Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 1f9a047156..14bd40e745 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -17,6 +17,9 @@ ms.date: 05/10/2018
# Tips and tricks to manage Internet Explorer compatibility
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List.
Jump to:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 39d999c947..bf8ceeb867 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Troubleshoot Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 1df0d6b95e..7e4561fa2a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn off Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 90442b3bbc..178085c2ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix font rendering problems by turning off natural metrics
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites.
However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 744df8c766..8c84054dc3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -18,6 +18,9 @@ ms.localizationpriority: medium
# Turn on Enterprise Mode and use a site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 1324c12963..b4db0fb7a4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn on local control and logging for Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index 446375289c..750bca0e82 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# List of updated features and tools - Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
index c26e39ddcc..fe55abfdc6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ author: dansimp
# Use the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 3cbc140f4b..cbfcfecf93 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Use the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 14fcd048fc..b7669cf1ca 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# User interface problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes.
## Where did features go in the Internet Explorer Customization Wizard 11?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index 6bff79cc82..677f1c974a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Using IE7 Enterprise Mode or IE8 Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 07e3ce2e2b..7015595563 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11.
**Note**
IEAK 11 works in network environments, with or without Microsoft Active Directory.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 1f7b62dfa5..afc27104af 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Setup Information (.inf) files to create install packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
**To add uninstallation instructions to the .inf files**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index a3fce1731d..a31c831abd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify your changes using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
index 42db6c85c5..1ccd3e4d0c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
index 2be252275c..9aa736bacb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
index 20ad5ac557..f2db72080d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index e5de6fffdd..771f7b3439 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Virtualization and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
**Important**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 1a2c6fc17a..b9fb67f961 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 10/25/2018
# Enterprise Mode and the Enterprise Mode Site List
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -61,7 +64,10 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
-## Enterprise Mode and the Enterprise Mode Site List XML file
+## Enterprise Mode and the Enterprise Mode Site List
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 4f1c56a922..1fd67f656b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -19,6 +19,9 @@ ms.date: 05/10/2018
# What is the Internet Explorer 11 Blocker Toolkit?
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
index de71b3a8ff..dd8e3bcce6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -17,6 +17,9 @@ ms.author: dansimp
# Workflow-based processes for employees using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 8917b1de22..c27e670fd6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Internet Explorer 11 - FAQ for IT Pros
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
## Frequently Asked Questions
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index e35b64b8a4..cf59b670d6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -16,6 +16,9 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 7405392094..929acbed39 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# IEAK 11 - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
**What is IEAK 11?**
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index b211933353..40a7886b0a 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Accelerators page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 7e89dab65d..b4d0459c78 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Add and approve ActiveX controls using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index eae4f678e5..c04501eea7 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Add a Root Certificate page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index 60be35bc0d..ebff04a24a 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Additional Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored.
The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index d3883b39ca..879c328e43 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Configuration page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 1a46247c5c..7d4f9344c9 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Set up auto detection for DHCP or DNS servers using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac).
Before you can set up your environment to use automatic detection, you need to turn the feature on.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index c317a46e0e..b4565ed485 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Version Synchronization page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages.
**Important**
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 3508c186af..7271837b2e 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 04/24/2018
# Before you start using IEAK 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index 5c9c189f24..351b1bbb76 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Branding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the custom branding and setup information in your browser package.
|Name |Value | Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index c1f3999a3a..0116384f6d 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browser User Interface page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE.
**Note**
The customizations you make on this page apply only to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index b2b123ff69..05fb2324f7 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the Internet Explorer toolbar.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index a39adaff3e..3214ea32c0 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browsing Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index e5bf7ebb40..321f45caf5 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CabSigning .INS file to customize the digital signature info for your apps
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the digital signature info for your apps.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index cda9702eb4..b6138064be 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Use the Compatibility View page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md).
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index aaec7b0fa2..e9051c955b 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Manager page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11.
Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 66beabdbca..bc00c58bec 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers.
**Note**
Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 779e024e57..0e7777a64e 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ConnectionSettings .INS file to review the network connections for install
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 91f26adf5b..0befbc922f 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create the build computer folder structure using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**.
|Name |Version |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index 3e8043c959..e2a0fb48a9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Tasks and references to consider before creating and deploying custom packages using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company.
|Task |References |
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 6196fabf79..5d88bfa81a 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create multiple versions of your custom package using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll need to create multiple versions of your custom browser package if:
- You support more than 1 version of the Windows operating system.
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 3cf498605c..ba3904ae39 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use uninstallation .INF files to uninstall custom components
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
**To uninstall your custom components**
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 571b73d327..1a981a5a16 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Custom Components page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component.
**Important**
You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index e7469fa864..7a5556235d 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CustomBranding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Provide the URL to your branding cabinet (.cab) file.
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 3c0af97192..9ed59cf64e 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Automatic Search for Internet Explorer using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers.
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index 06e8d6c3f3..7d0a2f9882 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ExtRegInf .INS file to specify installation files and mode
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to specify your Setup information (.inf) files and the installation mode for your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 47bf04d6e2..030dc054d2 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add:
- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**.
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 694b8d994d..ac736e20df 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the FavoritesEx .INS file for your Favorites icon and URLs
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index b27bc3273a..f72747f486 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.sitesec: library
# Use the Feature Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics.
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index f3224c2055..0aee908cd4 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the File Locations page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including:
- Where you’ll create and store your custom installation package.
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 38703f9131..616e3b9938 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# File types used or created by IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A list of the file types used or created by tools in IEAK 11:
|File type |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 507450938d..9d6fe74f8a 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system.
- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index 0864538448..e3d95badec 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize the Toolbar button and Favorites List icons using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics.
**Important**
Check your license agreement to make sure this customization is available.
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 0ba0f580a8..2da43b7f38 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Hardware and software requirements for Internet Explorer 11 and the IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page.
## Hardware requirements
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 7d50512355..6c46e306f3 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the HideCustom .INS file to hide the GUID for each custom component
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to hide the globally unique identifier (GUID) for each of your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index 51dc959759..c9d24160a9 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Setup command-line options and return codes
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization.
## IE Setup command-line options
diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
index b8c3d25c24..1d8b34786a 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Internet Explorer Administration Kit (IEAK) information and downloads
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
>Applies to: Windows 10
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md).
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index f27ec8b5b9..0aa9964807 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices.
## IE Customization Wizard 11 options
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index cd7c730569..57128dfefe 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard command-line options
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows Server 2008 R2 with SP1
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index 35dc9f9cc5..fe4bb3a985 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard for Windows Server 2008 R2 with SP1
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside.
## IExpress Wizard location
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 022767b179..b32b5bacab 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
**To use the Important URLS – Home Page and Support page**
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 29b8c0ceca..946a42e72a 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 15db2bc20f..6936f198d0 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Internal Install page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines.
**Note**
The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index b625916fd1..666c5f8b17 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ISP_Security .INS file to add your root certificate
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store the root certificate you’re adding to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index b2f66781b7..a343a30e51 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Language Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in.
**Important**
Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index ea1f1cb9e1..4c14f5ec98 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 10/23/2018
# Determine the licensing version and features to use in IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index a441fe7be2..f628def610 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Media .INS file to specify your install media
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The types of media on which your custom install package is available.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index ce2517bf60..ae7b3c6150 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Package Type Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it.
**Important**
You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 342ac46d58..67d9caac65 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Platform Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
**To use the Platform Selection page**
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 809110fc8b..4720c446af 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Before you install your package over your network using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
**To lower your intranet security**
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 8b46cc1615..acfbbc74ae 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Programs page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 06213a78ae..56a0823f9a 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use proxy auto-configuration (.pac) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info.
Included examples:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index 80e2e5d2c0..9def48f2d3 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy .INS file to specify a proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index a99dc70ae0..ba113af6cc 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package.
Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index c6fb131002..f3b4414183 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Register an uninstall app for custom components using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel.
## Register your uninstallation program
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 8bf7232c7c..340327e916 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479).
**To add the RSoP snap-in**
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index f66425a743..c092a2101b 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Search Providers page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE.
**Note**
The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 71d99f8b9f..336ad87ef1 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Security features and IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet.
## Enhanced Protection Mode
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index 16ffc69435..c78a131719 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security and Privacy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
**To use the Security and Privacy Settings page**
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index e65b0e2b77..b4fd0c45b2 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security Imports .INS file to import security info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to import security information from your local device to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 9ae559b4b4..e4fcd7c739 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Troubleshoot custom package and IEAK 11 problems
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
## I am unable to locate some of the wizard pages
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index 965fda174e..06a1d3c029 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,40 +1,44 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the URL .INS file to use an auto-configured proxy server
-Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
-
-|Name |Value |Description |
-|-----|------|------------|
-|AutoConfig |- **0.** Don’t automatically configure the browser.
- **1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
-|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
-|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
-|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
-|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
-|Help_Page |`` |The URL to your internal technical support site. |
-|Home_Page |`` |The URL to your default **Home** page. |
-|NoWelcome |- **0.** Display the **Welcome** page.
- **1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
-|Quick_Link_1 |`` |The URL to your first Quick Link. |
-|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
-|Quick_Link_2 |`` |The URL to your second Quick Link. |
-|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
-|Quick_Link_X |`` |The URL to another Quick Link. |
-|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
-|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
-|Quick_Link_X_Offline |- **0.** Don’t make the Quick Links available offline.
- **1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
-|Search_Page |`` |The URL to the default search page. |
-|UseLocalIns |- **0.** Don’t use a local .ins file.
- **1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the URL .INS file to use an auto-configured proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
+
+|Name |Value |Description |
+|-----|------|------------|
+|AutoConfig |- **0.** Don’t automatically configure the browser.
- **1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
+|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
+|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
+|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
+|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
+|Help_Page |`` |The URL to your internal technical support site. |
+|Home_Page |`` |The URL to your default **Home** page. |
+|NoWelcome |- **0.** Display the **Welcome** page.
- **1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
+|Quick_Link_1 |`` |The URL to your first Quick Link. |
+|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
+|Quick_Link_2 |`` |The URL to your second Quick Link. |
+|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
+|Quick_Link_X |`` |The URL to another Quick Link. |
+|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
+|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
+|Quick_Link_X_Offline |- **0.** Don’t make the Quick Links available offline.
- **1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
+|Search_Page |`` |The URL to the default search page. |
+|UseLocalIns |- **0.** Don’t use a local .ins file.
- **1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
+
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index ed8f2be8f1..364daedbbc 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,60 +1,64 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
-author: dansimp
-ms.prod: ie11
-ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the User Experience page in the IEAK 11 Wizard
-The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
-
-**Note**
You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
-
-**To use the User Experience page**
-
-1. Choose how your employee should interact with Setup, including:
-
- - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
-
- - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
-
- - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
-
Both the hands-free and completely silent installation options will:
-
- - Answer prompts so Setup can continue.
-
- - Accept the license agreement.
-
- - Determine that Internet Explorer 11 is installed and not just downloaded.
-
- - Perform your specific installation type.
-
- - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
-
-2. Choose if your employee’s device will restart at the end of Setup.
-
- - **Default**. Prompts your employees to restart after installing IE.
-
- - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
-
- - **Force restart**. Automatically restarts the computer after installing IE.
-
-3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
+author: dansimp
+ms.prod: ie11
+ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the User Experience page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
+
+**Note**
You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
+
+**To use the User Experience page**
+
+1. Choose how your employee should interact with Setup, including:
+
+ - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
+
+ - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
+
+ - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
+
Both the hands-free and completely silent installation options will:
+
+ - Answer prompts so Setup can continue.
+
+ - Accept the license agreement.
+
+ - Determine that Internet Explorer 11 is installed and not just downloaded.
+
+ - Perform your specific installation type.
+
+ - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
+
+2. Choose if your employee’s device will restart at the end of Setup.
+
+ - **Default**. Prompts your employees to restart after installing IE.
+
+ - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
+
+ - **Force restart**. Automatically restarts the computer after installing IE.
+
+3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index 3efd12ffa8..c9bb888bed 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Internet Settings (.INS) files with IEAK 11
-Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
-
-Here's a list of the available .INS file settings:
-
-|Setting |Description |
-|-----------------------------------------|------------------------------------------------------------------------------|
-|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
-|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
-|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
-|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
-|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
-|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
-|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
-|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
-|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
-|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
-|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
-|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
-|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Using Internet Settings (.INS) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
+
+Here's a list of the available .INS file settings:
+
+|Setting |Description |
+|-----------------------------------------|------------------------------------------------------------------------------|
+|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
+|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
+|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
+|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
+|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
+|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
+|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
+|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
+|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
+|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
+|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
+|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
+|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
index 06b86bce15..d62e11e507 100644
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-author: dansimp
-ms.author: dansimp
-ms.manager: elizapo
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
manager: dansimp
-title: What IEAK can do for you
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# What IEAK can do for you
-
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-
-- Internal
-
-- External
-
-## IEAK 11 users
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-- Internal
-- External
-
-> [!NOTE]
-> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
-
-
-### Corporations
-IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
-
-Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
-
-### Internet service providers
-IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
-
-ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
-
-### Internet content providers
-IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
-
-ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
-
-### Independent software vendors
-IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
-
-ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
-
-## Additional resources
-
-- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
-- [IEAK 11 overview](index.md)
-- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
-- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: support
+ms.pagetype: security
+description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+author: dansimp
+ms.author: dansimp
+ms.manager: elizapo
+ms.prod: ie11
+ms.assetid:
+ms.reviewer:
+audience: itpro
+manager: dansimp
+title: What IEAK can do for you
+ms.sitesec: library
+ms.date: 05/10/2018
+---
+
+# What IEAK can do for you
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+
+- Internal
+
+- External
+
+## IEAK 11 users
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+- Internal
+- External
+
+> [!NOTE]
+> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
+
+
+### Corporations
+IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
+
+Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
+
+### Internet service providers
+IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
+
+ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
+
+### Internet content providers
+IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
+
+ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
+
+### Independent software vendors
+IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
+
+ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
+
+## Additional resources
+
+- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
+- [IEAK 11 overview](index.md)
+- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
+- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
+- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
+- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index e81b0eedea..03de7ed423 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
-The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
-
-In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
-
-After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
+
+In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
+
+After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
new file mode 100644
index 0000000000..96a04e5f70
--- /dev/null
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -0,0 +1,13 @@
+---
+author: pamgreen-msft
+ms.author: pamgreen
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: pamgreen
+ms.prod: ie11
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index 1ef657304d..8e37f9eb2f 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10)
-description: How to add or remove an administrator by using the Management Console
+description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index ce050e817b..c26f77e8e4 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10)
-description: How to add or upgrade packages by using the Management Console
+description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index ea02c9ad1f..58a0c8b25d 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -1,6 +1,6 @@
---
title: Administering App-V by using Windows PowerShell (Windows 10)
-description: Administering App-V by Using Windows PowerShell
+description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index a913ce8a38..88430660e3 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -1,6 +1,6 @@
---
title: Application Publishing and Client Interaction (Windows 10)
-description: Application publishing and client interaction.
+description: Learn technical information about common App-V Client operations and their integration with the local operating system.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 6bb52f7eb3..8c4f4b2b2d 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -1,6 +1,6 @@
---
title: Available Mobile Device Management (MDM) settings for App-V (Windows 10)
-description: A list of the available MDM settings for App-V on Windows 10.
+description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 099bcdf1c4..d3c80a88c9 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -1,6 +1,6 @@
---
title: App-V Capacity Planning (Windows 10)
-description: App-V Capacity Planning
+description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 693a058d7e..f641b232d6 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -1,6 +1,6 @@
---
title: About Client Configuration Settings (Windows 10)
-description: About Client Configuration Settings
+description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index ae887fc389..52632f558e 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -1,6 +1,6 @@
---
title: How to make a connection group ignore the package version (Windows 10)
-description: How to make a connection group ignore the package version.
+description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index f878e5f7a4..009019e015 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to connect to the Management Console (Windows 10)
-description: How to Connect to the App-V Management Console.
+description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index ed2d425dc4..a16ae77ec8 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -1,6 +1,6 @@
---
title: About the connection group virtual environment (Windows 10)
-description: Overview of how the connection group virtual environment works.
+description: Learn how the connection group virtual environment works and how package priority is determined.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 794615f010..60c1c72c77 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -1,6 +1,6 @@
---
title: How to convert a package created in a previous version of App-V (Windows 10)
-description: How to convert a package created in a previous version of App-V.
+description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 9f08b25b41..829708fe4f 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to create a connection group (Windows 10)
-description: How to create a connection group with the App-V Management Console.
+description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index fb72cbc762..600df5f713 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to create a package accelerator by using Windows PowerShell (Windows 10)
-description: How to create a package accelerator with Windows PowerShell.
+description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 29d79221c5..b7ee707a61 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -1,6 +1,6 @@
---
title: Creating and managing App-V virtualized applications (Windows 10)
-description: Creating and managing App-V virtualized applications
+description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 9747e3066d..20c62b4398 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to delete a connection group (Windows 10)
-description: How to delete a connection group.
+description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 3b5027c30b..16a77e0287 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to delete a package in the Management Console (Windows 10)
-description: How to delete a package in the Management Console.
+description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index e866c21b92..4717b5e4ef 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
-description: These instructions can be used to deploy App-V databases by using SQL scripts.
+description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 0c013faf96..3c47fd5076 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,6 +1,6 @@
---
title: How to deploy App-V packages using electronic software distribution (Windows 10)
-description: How to deploy App-V packages using electronic software distribution.
+description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 728f4943a1..07407291fe 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server Using a Script (Windows 10)
-description: Information, lists, and tables that can help you deploy the App-V server using a script
+description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 837d0e6a32..9284a9bfc6 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server (Windows 10)
-description: Use these instructions to deploy the App-V Server in App-V for Windows 10.
+description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index b125e5282e..736d772dfc 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
-description: See the methods for creating Microsoft Office 2010 packages by Using App-V.
+description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 4379625ee0..fee5c296a1 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10)
-description: Deploying Microsoft Office 2013 by Using App-V
+description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 4edf732dd1..8cb954168b 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -1,6 +1,6 @@
---
title: Deploying the App-V Sequencer and configuring the client (Windows 10)
-description: Deploying the App-V Sequencer and configuring the client
+description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 576764fb91..97f97275be 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -1,6 +1,6 @@
---
title: Deploying the App-V Server (Windows 10)
-description: Deploying the App-V Server in App-V for Windows 10
+description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index bb97e27472..d09d0141d8 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -1,6 +1,6 @@
---
title: App-V Deployment Checklist (Windows 10)
-description: App-V Deployment Checklist
+description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 13a82055b6..196cb62ece 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -1,6 +1,6 @@
---
title: About App-V Dynamic Configuration (Windows 10)
-description: About App-V Dynamic Configuration
+description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 656f0264ce..601bfd8297 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -1,6 +1,6 @@
---
title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10)
-description: How to Enable Only Administrators to Publish Packages by Using an ESD
+description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index d9644226fb..c7985565d4 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -1,6 +1,6 @@
---
title: Enable the App-V in-box client (Windows 10)
-description: How to enable the App-V in-box client installed with Windows 10.
+description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 2e1556cb8a..03f116312a 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -1,6 +1,6 @@
---
title: Getting Started with App-V (Windows 10)
-description: Get started with Microsoft Application Virtualization (App-V) for Windows 10.
+description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index ab25607096..941e4f58e7 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -1,6 +1,6 @@
---
title: High-level architecture for App-V (Windows 10)
-description: High-level Architecture for App-V.
+description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 93180520e7..7a13e789c6 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -1,6 +1,6 @@
---
title: Install the App-V Sequencer (Windows 10)
-description: Install the App-V Sequencer
+description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 5a94cbc421..9b5aa14320 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -1,6 +1,6 @@
---
title: Managing Connection Groups (Windows 10)
-description: Managing Connection Groups
+description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index dff030f470..a3600bfa4c 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -1,6 +1,6 @@
---
title: Migrating to App-V from a Previous Version (Windows 10)
-description: Migrating to App-V for Windows 10 from a previous version
+description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index e2cb4eca48..c065c9a2a5 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -1,6 +1,6 @@
---
title: How to Modify an Existing Virtual Application Package (Windows 10)
-description: How to Modify an Existing Virtual Application Package
+description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index 7fe2f3896f..816015f740 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10)
-description: How to Modify Client Configuration by Using Windows PowerShell
+description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 5305207fe6..e34dd4f7dc 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -1,6 +1,6 @@
---
title: How to Move the App-V Server to Another Computer (Windows 10)
-description: How to Move the App-V Server to Another Computer
+description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index c45c9ab9cf..b68da536ab 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -1,6 +1,6 @@
---
title: Operations for App-V (Windows 10)
-description: Operations for App-V
+description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 65ccf02292..ea4f11a42b 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -1,6 +1,6 @@
---
title: Performance Guidance for Application Virtualization (Windows 10)
-description: Performance Guidance for Application Virtualization
+description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index edaf668a89..4c098ba090 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -1,6 +1,6 @@
---
title: App-V Planning Checklist (Windows 10)
-description: App-V Planning Checklist
+description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index c9c570009a..2a6724419a 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -1,6 +1,6 @@
---
title: Planning to Use Folder Redirection with App-V (Windows 10)
-description: Planning to Use Folder Redirection with App-V
+description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index eaf7729f22..8aa07c226e 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning for the App-V Server Deployment (Windows 10)
-description: Planning for the App-V 5.1 Server Deployment
+description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index d54d848a2c..0ebf3ccaf3 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -1,6 +1,6 @@
---
title: Planning for App-V (Windows 10)
-description: Planning for App-V
+description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index af66e545e4..29d772054e 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -1,6 +1,6 @@
---
title: Planning for High Availability with App-V Server
-description: Planning for High Availability with App-V Server
+description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -18,7 +18,7 @@ ms.topic: article
Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level.
-The following sections will he following sections to help you understand the options to deploy App-V in a highly available configuration.
+The following sections will help you understand the options to deploy App-V in a highly available configuration.
## Support for Microsoft SQL Server clustering
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 4fa3630f7f..0f797ad9d7 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning for the App-V Sequencer and Client Deployment (Windows 10)
-description: Planning for the App-V Sequencer and Client Deployment
+description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index da919b1dbf..91ade82d46 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -1,6 +1,6 @@
---
title: Planning for Deploying App-V with Office (Windows 10)
-description: Planning for Using App-V with Office
+description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index ee9e0b73a9..be621c72e2 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -1,6 +1,6 @@
---
title: Planning to Deploy App-V (Windows 10)
-description: Planning to Deploy App-V
+description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index bc458a3f94..652eabd063 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -1,6 +1,6 @@
---
title: App-V Prerequisites (Windows 10)
-description: App-V Prerequisites
+description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 41d35e29a0..e48f4c43c6 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to Publish a Connection Group (Windows 10)
-description: How to Publish a Connection Group
+description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 57a4526ecf..41c995543f 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -1,6 +1,6 @@
---
title: About App-V Reporting (Windows 10)
-description: About App-V Reporting
+description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index ab6c1c4c32..d2dd484a97 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -1,6 +1,6 @@
---
title: App-V Security Considerations (Windows 10)
-description: App-V Security Considerations
+description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index c3e16261db..2eb919d9b5 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -1,6 +1,6 @@
---
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
-description: How to manually sequence a new app using the App-V Sequencer
+description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 349ead11a5..2a353b9121 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to sequence a package by using Windows PowerShell (Windows 10)
-description: How to sequence a package by using Windows PowerShell
+description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index e0f6e0f48d..8cd6653c77 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Technical Reference for App-V (Windows 10)
-description: Technical Reference for App-V
+description: Learn strategy and context for a number of performance optimization practices in this techincal reference for Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index fd794d1044..29240949b5 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting App-V (Windows 10)
-description: Troubleshooting App-V
+description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index 4aedf60d24..8660d86846 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -1,6 +1,6 @@
---
title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10)
-description: Upgrading to App-V for Windows 10 from an existing installation
+description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index b6691c2fc5..7dc0a15d0a 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -1,6 +1,6 @@
---
title: Using the App-V Client Management Console (Windows 10)
-description: Using the App-V Client Management Console
+description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index eac57684c6..acbd96ca6e 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -1,6 +1,6 @@
---
title: Viewing App-V Server Publishing Metadata (Windows 10)
-description: Viewing App-V Server Publishing Metadata
+description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index c27ad32063..9d150d9583 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -51,13 +51,13 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a
| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
@@ -77,10 +77,10 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a
| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index fef303c216..f9a00fdc84 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -1,6 +1,6 @@
---
title: Windows 10 application management
-description: Windows 10 application management
+description: Learn about managing applications in Windows 10 and Windows 10 Mobile clients, including how to remove background task resource restrictions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 082fa016f4..5a0366f643 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -1,8 +1,8 @@
---
title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10)
+description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises.
ms.reviewer:
manager: dansimp
-description: Learn how to enable or block Windows Mixed Reality apps.
keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index 91ef9b0c48..b1c60124ea 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -1,6 +1,6 @@
---
title: Repackage your existing win32 applications to the MSIX format.
-description: Learn how to install and use the MSIX packaging tool.
+description: Learn how to install and use the MSIX packaging tool to repackage your existing win32 applications to the MSIX format.
keywords: ["MSIX", "application", "app", "win32", "packaging tool"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 2dc4591d51..7305ea48e2 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Sideload LOB apps in Windows 10 (Windows 10)
-description: Sideload line-of-business apps in Windows 10.
+description: Learn how to sideload line-of-business (LOB) apps in Windows 10. When you sideload an app, you deploy a signed app package to a device.
ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 5986263a1e..d236ee54f8 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for Windows boot problems
-description: Learn how to troubleshoot when Windows is unable to boot
+description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: dansimp
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index c04dae805a..ce50bd2b54 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -2,7 +2,7 @@
title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dansimp
-description: Learn how troubleshooting of establishing Wi-Fi connections
+description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index fa3febbd0f..3c7c213761 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Client management (Windows 10)
-description: View changes to documentation for client management in Windows 10.
+description: Learn about new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 52a10357c5..835007dc33 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -1,6 +1,6 @@
---
title: Generate a kernel or complete crash dump
-description: Learn how to generate a kernel or complete crash dump.
+description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index dbcd186131..b1077e5be6 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -1,6 +1,6 @@
---
title: Boot sequence flowchart
-description: A full-sized view of the boot sequence flowchart.
+description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 2f12bd900f..b1964db01a 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -1,6 +1,6 @@
---
title: Introduction to the page file
-description: Learn about the page files in Windows.
+description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index 97ea145013..dc31960057 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -1,6 +1,6 @@
---
title: Manage the Settings app with Group Policy (Windows 10)
-description: Find out how to manage the Settings app with Group Policy.
+description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 476d73c694..2d6a0b7bda 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -171,6 +171,11 @@
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
+#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md)
+#### [ADMX_AppCompat](policy-csp-admx-appcompat.md)
+#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md)
+#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
+#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
#### [AppRuntime](policy-csp-appruntime.md)
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index c4a1538d53..c1b570d222 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Accounts DDF file
-description: XML file containing the device description framework for the Accounts configuration service provider.
+description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index e2f9441b9c..37f6157570 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,6 +1,6 @@
---
title: ActiveSync CSP
-description: ActiveSync CSP
+description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index 6e4c1c5000..1b1ae61c78 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,6 +1,6 @@
---
title: ActiveSync DDF file
-description: ActiveSync DDF file
+description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md
index 2c8cfbc647..4ad36bbd99 100644
--- a/windows/client-management/mdm/alljoynmanagement-ddf.md
+++ b/windows/client-management/mdm/alljoynmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: AllJoynManagement DDF
-description: Learn the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider.
+description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index d4fe92e943..69a0b61ca3 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -1,6 +1,6 @@
---
title: APPLICATION configuration service provider
-description: APPLICATION configuration service provider
+description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 4fe03939a0..cfe9b24bd5 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,6 +1,6 @@
---
title: AppLocker CSP
-description: AppLocker CSP
+description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index ffd93b2784..4ea2ef6556 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,6 +1,6 @@
---
title: AppLocker DDF file
-description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
+description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md
index d07e9eea71..3e03f501a8 100644
--- a/windows/client-management/mdm/applocker-xsd.md
+++ b/windows/client-management/mdm/applocker-xsd.md
@@ -1,6 +1,6 @@
---
title: AppLocker XSD
-description: Here's the XSD for the AppLocker CSP.
+description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index c4844e943d..703958aa0e 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,6 +1,6 @@
---
title: AssignedAccess DDF
-description: AssignedAccess DDF
+description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index b84c02e4e8..07f3aa7f0f 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1,6 +1,6 @@
---
title: BitLocker CSP
-description: BitLocker CSP
+description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index edf7ea7a4b..693a48b687 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,6 +1,6 @@
---
title: BitLocker DDF file
-description: BitLocker DDF file
+description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index 00e4fe59b5..2381889266 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -1,6 +1,6 @@
---
title: BOOTSTRAP CSP
-description: Use the BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
+description: Use the BOOTSTRAP configuration service provider to set the Trusted Provisioning Server (TPS) for the device.
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 9e1c5633df..908672c4ef 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -1,6 +1,6 @@
---
title: BrowserFavorite CSP
-description: BrowserFavorite CSP
+description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index edb5e3bdfa..953ddf78ae 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -1,6 +1,6 @@
---
title: CellularSettings CSP
-description: CellularSettings CSP
+description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
index f6b0b2998b..0db0669275 100644
--- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
@@ -1,6 +1,6 @@
---
title: Certificate Renewal
-description: Find all the resources needed to provide continuous access to client certificates.
+description: Learn how to find all the resources that you need to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 8601f82b20..ed787a3b0f 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,6 +1,6 @@
---
title: ClientCertificateInstall DDF file
-description: ClientCertificateInstall DDF file
+description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 02f2910d16..5063181c3f 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -1,6 +1,6 @@
---
title: CM\_CellularEntries CSP
-description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
+description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
index 828700b85a..816b5c188b 100644
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ b/windows/client-management/mdm/cm-proxyentries-csp.md
@@ -1,6 +1,6 @@
---
title: CM\_ProxyEntries CSP
-description: Configure proxy connections on mobile devices using CM\_ProxyEntries CSP.
+description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 08d0040594..df773dcb43 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -1,6 +1,6 @@
---
title: CMPolicyEnterprise CSP
-description: CMPolicyEnterprise CSP
+description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request.
ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
index 1eb4a02627..5c1c136c23 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
@@ -1,6 +1,6 @@
---
title: CMPolicyEnterprise DDF file
-description: CMPolicyEnterprise DDF file
+description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider.
ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 05add93e6a..17b165ed51 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -1,6 +1,6 @@
---
title: CustomDeviceUI CSP
-description: CustomDeviceUI CSP
+description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application.
ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md
index 12b590ef8c..7623b155f2 100644
--- a/windows/client-management/mdm/customdeviceui-ddf.md
+++ b/windows/client-management/mdm/customdeviceui-ddf.md
@@ -1,6 +1,6 @@
---
title: CustomDeviceUI DDF
-description: CustomDeviceUI DDF
+description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider.
ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index cb96fa1fb1..da9959c0a2 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,6 +1,6 @@
---
title: Defender CSP
-description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
+description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 508d2f5d0d..a63f4dec92 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,6 +1,6 @@
---
title: Defender DDF file
-description: See how the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
+description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 285d96ddf8..11ab51bf9e 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,6 +1,6 @@
---
title: DevDetail CSP
-description: DevDetail CSP
+description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 0ab07220b6..25be11c21b 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DevDetail DDF file
-description: DevDetail DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider.
ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index 09d6af05e4..f24564545c 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceInstanceService CSP
-description: DeviceInstanceService CSP
+description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise.
ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 246408076e..cef65071ec 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceLock CSP
-description: DeviceLock CSP
+description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies.
ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md
index 545ebcdb9b..eb63ef11fe 100644
--- a/windows/client-management/mdm/devicelock-ddf-file.md
+++ b/windows/client-management/mdm/devicelock-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DeviceLock DDF file
-description: DeviceLock DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP).
ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index b81a21b82e..aec2b4cc91 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DevInfo DDF file
-description: DevInfo DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP).
ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 2f00912ad8..2c49067d90 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,6 +1,6 @@
---
title: DiagnosticLog CSP
-description: DiagnosticLog CSP
+description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area.
ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 8bedac1205..f635ed44c6 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,6 +1,6 @@
---
title: DiagnosticLog DDF
-description: DiagnosticLog DDF
+description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index aa61f9d50b..4a45bf4eb2 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,6 +1,6 @@
---
title: DMAcc CSP
-description: DMAcc CSP
+description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects.
ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 232f5672cd..b10dcad38a 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DMAcc DDF file
-description: DMAcc DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP).
ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 9469f12408..6ed30e55f1 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -21,11 +21,15 @@ The following diagram shows the DMClient CSP in tree format.
+
+**./Vendor/MSFT**
+All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
+
**DMClient**
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -221,7 +225,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization..
+Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
@@ -265,7 +269,7 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 44ff431b60..c5ba87da90 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DMClient DDF file
-description: DMClient DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP).
ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 2e1b590d91..b9ed5780d0 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -1,6 +1,6 @@
---
title: DMProcessConfigXMLFiltered function
-description: Configures phone settings by using OMA Client Provisioning XML.
+description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML.
Search.Refinement.TopicID: 184
ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F
ms.reviewer:
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index b395c7c3ba..65aeb1a961 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions CSP
-description: DMSessionActions CSP
+description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md
index aef1210842..61b4b4754a 100644
--- a/windows/client-management/mdm/dmsessionactions-ddf.md
+++ b/windows/client-management/mdm/dmsessionactions-ddf.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions DDF file
-description: DMSessionActions DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index e7d55aedc0..b6fe50d931 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: DynamicManagement CSP
-description: DynamicManagement CSP
+description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md
index 3439bf646a..2690fa4e23 100644
--- a/windows/client-management/mdm/dynamicmanagement-ddf.md
+++ b/windows/client-management/mdm/dynamicmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: DynamicManagement DDF file
-description: DynamicManagement DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP).
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index ddb14a8d3f..844fc1be39 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,6 +1,6 @@
---
title: EMAIL2 CSP
-description: EMAIL2 CSP
+description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index f24a64e3e3..4f11b5b64d 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,6 +1,6 @@
---
title: EMAIL2 DDF file
-description: EMAIL2 DDF file
+description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP).
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index 1f420a71c4..805f9ee481 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -1,6 +1,6 @@
---
title: Enable ADMX-backed policies in MDM
-description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM.
+description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index f45e20d377..349687ed6c 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -1,6 +1,6 @@
---
title: Enroll a Windows 10 device automatically using Group Policy
-description: Enroll a Windows 10 device automatically using Group Policy
+description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index e70eed0ce5..98739efcb1 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -1,6 +1,6 @@
---
title: EnrollmentStatusTracking DDF
-description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md
index 319356f336..5e7af9b60d 100644
--- a/windows/client-management/mdm/enterpriseapn-ddf.md
+++ b/windows/client-management/mdm/enterpriseapn-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAPN DDF
-description: EnterpriseAPN DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP).
ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 22445122ec..272f60f44f 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
-description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
+description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
index 626981e0ff..8cf951cf55 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement DDF file
-description: EnterpriseAppVManagement DDF file
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 2df97c9bf4..45d11904d5 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess CSP
-description: Use the EnterpriseAssignedAccess CSP to configure custom layouts on a device.
+description: Use the EnterpriseAssignedAccess configuration service provider (CSP) to configure custom layouts on a device.
ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md
index 782bc735ed..24cadf3270 100644
--- a/windows/client-management/mdm/enterpriseext-csp.md
+++ b/windows/client-management/mdm/enterpriseext-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExt CSP
-description: EnterpriseExt CSP
+description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md
index e30ceeb37f..4b3d4b0afd 100644
--- a/windows/client-management/mdm/enterpriseext-ddf.md
+++ b/windows/client-management/mdm/enterpriseext-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExt DDF
-description: EnterpriseExt DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP).
ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
index 997493aee9..7efb54af20 100644
--- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
+++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExtFileSystem DDF
-description: EnterpriseExtFileSystem DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP).
ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 5384ce0168..77b6e72ff9 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement CSP
-description: EnterpriseModernAppManagement CSP
+description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps.
ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index aa2cdb680b..237000b2f0 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement DDF
-description: EnterpriseModernAppManagement DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP).
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
index f7544b10a4..f8b15504cc 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement XSD
-description: Use the EnterpriseModernAppManagement XSD for set application parameters.
+description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters.
ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md
index 9251f6a755..79545b45cc 100644
--- a/windows/client-management/mdm/esim-enterprise-management.md
+++ b/windows/client-management/mdm/esim-enterprise-management.md
@@ -1,6 +1,6 @@
---
title: eSIM Enterprise Management
-description: Managing eSIM devices in an enterprise
+description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
keywords: eSIM enterprise management
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 43626310a0..1f42e3e43d 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -1,6 +1,6 @@
---
title: eUICCs CSP
-description: eUICCs CSP
+description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 3f3e71df8d..38bb8e5f6f 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,6 +1,6 @@
---
title: eUICCs DDF file
-description: eUICCs DDF file
+description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP).
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 653b03b527..9bad3fe712 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -1,6 +1,6 @@
---
title: FileSystem CSP
-description: FileSystem CSP
+description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device.
ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 20172a8f10..72829fc3a9 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Firewall DDF file
-description: Firewall DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index e24210c9e0..0124df555f 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,6 +1,6 @@
---
title: Device HealthAttestation CSP
-description: Device HealthAttestation CSP
+description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 21934f6452..d7209b1cf2 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,6 +1,6 @@
---
title: HealthAttestation DDF
-description: HealthAttestation DDF
+description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider.
ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 025ce63385..f4a14359a1 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -1,6 +1,6 @@
---
title: HotSpot CSP
-description: HotSpot CSP
+description: Learn how HotSpot configuration service provider (CSP) is used to configure and enable Internet sharing on a device.
ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 7b8e606d40..1c9ca9aba5 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -1,6 +1,6 @@
---
title: MDM enrollment of Windows 10-based devices
-description: MDM enrollment of Windows 10-based devices
+description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources.
MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index cc739605f3..e9383e871f 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -1,6 +1,6 @@
---
title: Messaging CSP
-description: Use the Messaging CSP to configure the ability to get text messages audited on a mobile device.
+description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 7d719b40aa..3597ffa5fe 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -1,6 +1,6 @@
---
title: MultiSIM CSP
-description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration.
+description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index c4dbd6410a..dcaef76767 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -1,6 +1,6 @@
---
title: NAP CSP
-description: NAP CSP
+description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections.
ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 80a87e53d1..1b5f5ecdd4 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -1,6 +1,6 @@
---
title: NAPDEF CSP
-description: NAPDEF CSP
+description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs).
ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index c82e246263..43aff61d37 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -1,6 +1,6 @@
---
title: NetworkProxy CSP
-description: NetworkProxy CSP
+description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 7535a3ce20..c2d3ea4a5e 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,6 +1,6 @@
---
title: NetworkQoSPolicy DDF
-description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML
+description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index aa0f6ee57d..83fd0ea765 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -13,7 +13,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/01/2019
+ms.date: 08/18/2020
---
# What's new in mobile device enrollment and management
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
+ - [August 2020](#august-2020)
- [July 2020](#july-2020)
- [June 2020](#june-2020)
- [May 2020](#may-2020)
@@ -314,11 +315,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
Privacy/DisablePrivacyExperience
Privacy/UploadUserActivities
Security/RecoveryEnvironmentAuthentication
-System/AllowDesktopAnalyticsProcessing
System/AllowDeviceNameInDiagnosticData
-System/AllowMicrosoftManagedDesktopProcessing
-System/AllowUpdateComplianceProcessing
-System/AllowWUfBCloudProcessing
System/ConfigureMicrosoft365UploadEndpoint
System/DisableDeviceDelete
System/DisableDiagnosticDataViewer
@@ -1998,10 +1995,16 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
+
+### August 2020
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
|
+
### July 2020
|New or updated topic | Description|
|--- | ---|
-|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
Updated the following policy setting:
- System/AllowCommercialDataPipeline
|
+|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
Updated the following policy setting:
- System/AllowCommercialDataPipeline
|
### June 2020
|New or updated topic | Description|
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 7d58ebbea3..06a74f2979 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,6 +1,6 @@
---
title: NodeCache DDF file
-description: NodeCache DDF file
+description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP).
ms.assetid: d7605098-12aa-4423-89ae-59624fa31236
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index eef4903c8c..5a9ac5cc69 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,6 +1,6 @@
---
title: Personalization DDF file
-description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
+description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 5e23762281..7986a6fae0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1,6 +1,6 @@
---
title: Policy CSP
-description: Policy CSP
+description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10.
ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F
ms.reviewer:
manager: dansimp
@@ -168,6 +168,165 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AddRemovePrograms policies
+
+ -
+ ADMX_AddRemovePrograms/DefaultCategory
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromInternet
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromNetwork
+
+ -
+ ADMX_AddRemovePrograms/NoAddPage
+
+ -
+ ADMX_AddRemovePrograms/NoAddRemovePrograms
+
+ -
+ ADMX_AddRemovePrograms/NoChooseProgramsPage
+
+ -
+ ADMX_AddRemovePrograms/NoRemovePage
+
+ -
+ ADMX_AddRemovePrograms/NoServices
+
+ -
+ ADMX_AddRemovePrograms/NoSupportInfo
+
+ -
+ ADMX_AddRemovePrograms/NoWindowsSetupPage
+
+
+
+### ADMX_AppCompat policies
+
+
+ -
+ ADMX_AppCompat/AppCompatPrevent16BitMach
+
+ -
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffEngine
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory
+
+
+
+### ADMX_AuditSettings policies
+
+
+ -
+ ADMX_AuditSettings/IncludeCmdLine
+
+
+
+### ADMX_DnsClient policies
+
+
+ -
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries
+
+ -
+ ADMX_DnsClient/DNS_AppendToMultiLabelName
+
+ -
+ ADMX_DnsClient/DNS_Domain
+
+ -
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel
+
+ -
+ ADMX_DnsClient/DNS_IdnEncoding
+
+ -
+ ADMX_DnsClient/DNS_IdnMapping
+
+ -
+ ADMX_DnsClient/DNS_NameServer
+
+ -
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns
+
+ -
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix
+
+ -
+ ADMX_DnsClient/DNS_RegisterAdapterName
+
+ -
+ ADMX_DnsClient/DNS_RegisterReverseLookup
+
+ -
+ ADMX_DnsClient/DNS_RegistrationEnabled
+
+ -
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict
+
+ -
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval
+
+ -
+ ADMX_DnsClient/DNS_RegistrationTtl
+
+ -
+ ADMX_DnsClient/DNS_SearchList
+
+ -
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution
+
+ -
+ ADMX_DnsClient/DNS_SmartProtocolReorder
+
+ -
+ ADMX_DnsClient/DNS_UpdateSecurityLevel
+
+ -
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones
+
+ -
+ ADMX_DnsClient/DNS_UseDomainNameDevolution
+
+ -
+ ADMX_DnsClient/Turn_Off_Multicast
+
+
+
+### ADMX_EventForwarding policies
+
+
+ -
+ ADMX_EventForwarding/ForwarderResourceUsage
+
+ -
+ ADMX_EventForwarding/SubscriptionManager
+
+
+
### ApplicationDefaults policies
@@ -3379,9 +3538,6 @@ The following diagram shows the Policy configuration service provider in tree fo
-
System/AllowCommercialDataPipeline
- -
- System/AllowDesktopAnalyticsProcessing
-
-
System/AllowDeviceNameInDiagnosticData
@@ -3397,24 +3553,15 @@ The following diagram shows the Policy configuration service provider in tree fo
-
System/AllowLocation
- -
- System/AllowMicrosoftManagedDesktopProcessing
-
-
System/AllowStorageCard
-
System/AllowTelemetry
-
- -
- System/AllowUpdateComplianceProcessing
-
System/AllowUserToResetPhone
- -
- System/AllowWUfBCloudProcessing
-
-
System/BootStartDriverInitialization
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index ebc28b415c..23c1bb8142 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AboveLock
-description: Learn the various AboveLock Policy CSP for Windows editions of Home, Pro, Business, and more.
+description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index fad4a74ad7..4367ed3ed6 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Accounts
-description: Policy CSP - Accounts
+description: Learn about the Policy configuration service provider (CSP). This articles describes account policies.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 9c2b674cee..d760021b1e 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ActiveXControls
-description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10.
+description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
new file mode 100644
index 0000000000..37cf49d46f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -0,0 +1,954 @@
+---
+title: Policy CSP - ADMX_AddRemovePrograms
+description: Policy CSP - ADMX_AddRemovePrograms
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AddRemovePrograms
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## Policy CSP - ADMX_AddRemovePrograms
+
+
+ -
+ ADMX_AddRemovePrograms/DefaultCategory
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromInternet
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromNetwork
+
+ -
+ ADMX_AddRemovePrograms/NoAddPage
+
+ -
+ ADMX_AddRemovePrograms/NoAddRemovePrograms
+
+ -
+ ADMX_AddRemovePrograms/NoChooseProgramsPage
+
+ -
+ ADMX_AddRemovePrograms/NoRemovePage
+
+ -
+ ADMX_AddRemovePrograms/NoServices
+
+ -
+ ADMX_AddRemovePrograms/NoSupportInfo
+
+ -
+ ADMX_AddRemovePrograms/NoWindowsSetupPage
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/DefaultCategory**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+  |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
+
+To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
+
+If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need.
+
+> [!NOTE]
+> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify default category for Add New Programs*
+- GP name: *DefaultCategory*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromCDorFloppy**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
+
+If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add a program from CD-ROM or floppy disk" option*
+- GP name: *NoAddFromCDorFloppy*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromInternet**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
+
+If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add programs from Microsoft" option*
+- GP name: *NoAddFromInternet*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromNetwork**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
+
+If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
+
+If you disable this setting or do not configure it, "Add programs from your network" is available to all users.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add programs from your network" option*
+- GP name: *NoAddFromNetwork*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
+
+If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Add New Programs page*
+- GP name: *NoAddPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddRemovePrograms**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
+
+If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Add or Remove Programs*
+- GP name: *NoAddRemovePrograms*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoChooseProgramsPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
+
+If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the Set Program Access and Defaults page*
+- GP name: *NoChooseProgramsPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoRemovePage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
+
+If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Change or Remove Programs page*
+- GP name: *NoRemovePage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoServices**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
+
+If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services.
+
+> [!NOTE]
+> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Go directly to Components Wizard*
+- GP name: *NoServices*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoSupportInfo**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
+
+If you disable this setting or do not configure it, the Support Info hyperlink appears.
+
+> [!NOTE]
+> Not all programs provide a support information hyperlink.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Support Information*
+- GP name: *NoSupportInfo*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoWindowsSetupPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
+
+If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Add/Remove Windows Components page*
+- GP name: *NoWindowsSetupPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
new file mode 100644
index 0000000000..527d07b981
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -0,0 +1,744 @@
+---
+title: Policy CSP - ADMX_AppCompat
+description: Policy CSP - ADMX_AppCompat
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 08/20/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AppCompat
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## Policy CSP - ADMX_AppCompat
+
+
+ -
+ ADMX_AppCompat/AppCompatPrevent16BitMach
+
+
+ -
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffEngine
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory
+
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatPrevent16BitMach**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
+
+You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.
+
+If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run.
+
+If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer.
+
+If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run.
+
+> [!NOTE]
+> This setting appears only in Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent access to 16-bit applications*
+- GP name: *AppCompatPrevent16BitMach*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
+
+The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.
+
+Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Program Compatibility Property Page*
+- GP name: *AppCompatRemoveProgramCompatPropPage*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system.
+
+Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.
+
+Turning Application Telemetry off by selecting "enable" will stop the collection of usage data.
+
+If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.
+
+Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Application Telemetry*
+- GP name: *AppCompatTurnOffApplicationImpactTelemetry*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffSwitchBack**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system.
+
+Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.
+
+Switchback is on by default.
+
+If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using.
+
+If you disable or do not configure this policy setting, the Switchback will be turned on.
+
+Reboot the system after changing the setting to ensure that your system accurately reflects those changes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off SwitchBack Compatibility Engine*
+- GP name: *AppCompatTurnOffSwitchBack*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffEngine**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system.
+
+The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.
+
+Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed.
+
+The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly.
+
+This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
+
+> [!NOTE]
+> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Application Compatibility Engine*
+- GP name: *AppCompatTurnOffEngine*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Program Compatibility Assistant*
+- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+
+If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
+
+If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+
+> [!NOTE]
+> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Program Compatibility Assistant*
+- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffUserActionRecord**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder.
+
+Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection.
+
+If you enable this policy setting, Steps Recorder will be disabled.
+
+If you disable or do not configure this policy setting, Steps Recorder will be enabled.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Steps Recorder*
+- GP name: *AppCompatTurnOffUserActionRecord*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramInventory**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector.
+
+The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.
+
+If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled.
+
+If you disable or do not configure this policy setting, the Inventory Collector will be turned on.
+
+> [!NOTE]
+> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Inventory Collector*
+- GP name: *AppCompatTurnOffProgramInventory*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
new file mode 100644
index 0000000000..2f91449316
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -0,0 +1,119 @@
+---
+title: Policy CSP - ADMX_AuditSettings
+description: Policy CSP - ADMX_AuditSettings
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AuditSettings
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_AuditSettings policies
+
+
+ -
+ ADMX_AuditSettings/IncludeCmdLine
+
+
+
+
+
+
+
+**ADMX_AuditSettings/IncludeCmdLine**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
+
+If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
+
+If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.
+
+Default is Not configured.
+
+> [!NOTE]
+> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Include command line in process creation events*
+- GP name: *IncludeCmdLine*
+- GP path: *System/Audit Process Creation*
+- GP ADMX file name: *AuditSettings.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
new file mode 100644
index 0000000000..e3fef30269
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -0,0 +1,1725 @@
+---
+title: Policy CSP - ADMX_DnsClient
+description: Policy CSP - ADMX_DnsClient
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DnsClient
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DnsClient policies
+
+
+ -
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries
+
+ -
+ ADMX_DnsClient/DNS_AppendToMultiLabelName
+
+ -
+ ADMX_DnsClient/DNS_Domain
+
+ -
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel
+
+ -
+ ADMX_DnsClient/DNS_IdnEncoding
+
+ -
+ ADMX_DnsClient/DNS_IdnMapping
+
+ -
+ ADMX_DnsClient/DNS_NameServer
+
+ -
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns
+
+ -
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix
+
+ -
+ ADMX_DnsClient/DNS_RegisterAdapterName
+
+ -
+ ADMX_DnsClient/DNS_RegisterReverseLookup
+
+ -
+ ADMX_DnsClient/DNS_RegistrationEnabled
+
+ -
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict
+
+ -
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval
+
+ -
+ ADMX_DnsClient/DNS_RegistrationTtl
+
+ -
+ ADMX_DnsClient/DNS_SearchList
+
+ -
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution
+
+ -
+ ADMX_DnsClient/DNS_SmartProtocolReorder
+
+ -
+ ADMX_DnsClient/DNS_UpdateSecurityLevel
+
+ -
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones
+
+ -
+ ADMX_DnsClient/DNS_UseDomainNameDevolution
+
+ -
+ ADMX_DnsClient/Turn_Off_Multicast
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
+
+If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
+
+If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow NetBT queries for fully qualified domain names*
+- GP name: *DNS_AllowFQDNNetBiosQueries*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_AppendToMultiLabelName**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+
+A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
+
+For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.
+
+If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails.
+
+If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.
+
+If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
+
+If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow DNS suffix appending to unqualified multi-label name queries*
+- GP name: *DNS_AppendToMultiLabelName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_Domain**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+
+If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Connection-specific DNS suffix*
+- GP name: *DNS_Domain*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_DomainNameDevolutionLevel**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
+
+If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
+
+If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix devolution level*
+- GP name: *DNS_DomainNameDevolutionLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnEncoding**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+If this policy setting is enabled, IDNs are not converted to Punycode.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off IDN encoding*
+- GP name: *DNS_IdnEncoding*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnMapping**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
+
+If this policy setting is enabled, IDNs are converted to the Nameprep form.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IDN mapping*
+- GP name: *DNS_IdnMapping*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_NameServer**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+
+To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
+
+If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DNS servers*
+- GP name: *DNS_NameServer*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
+
+If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prefer link local responses over DNS when received over a network with higher precedence*
+- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PrimaryDnsSuffix**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+
+To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
+
+> [!IMPORTANT]
+> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
+
+If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
+
+You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
+
+If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix*
+- GP name: *DNS_PrimaryDnsSuffix*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterAdapterName**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+
+If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
+
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+
+Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
+
+If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Register DNS records with connection-specific DNS suffix*
+- GP name: *DNS_RegisterAdapterName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterReverseLookup**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records.
+
+By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
+
+If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.
+
+To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
+
+- Do not register: Computers will not attempt to register PTR resource records
+- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
+- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Register PTR records*
+- GP name: *DNS_RegisterReverseLookup*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationEnabled**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+
+If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
+
+If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Dynamic update*
+- GP name: *DNS_RegistrationEnabled*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
+
+This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
+
+During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
+
+If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
+
+If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Replace addresses in conflicts*
+- GP name: *DNS_RegistrationOverwritesInConflict*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationRefreshInterval**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+
+Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
+
+> [!WARNING]
+> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
+
+To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
+
+If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Registration refresh interval*
+- GP name: *DNS_RegistrationRefreshInterval*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationTtl**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+
+To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
+
+If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *TTL value for A and PTR records*
+- GP name: *DNS_RegistrationTtl*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SearchList**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
+
+An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
+
+Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
+
+To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
+
+If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
+
+If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DNS suffix search list*
+- GP name: *DNS_SearchList*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
+
+If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
+
+If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off smart multi-homed name resolution*
+- GP name: *DNS_SmartMultiHomedNameResolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartProtocolReorder**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
+
+If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off smart protocol reordering*
+- GP name: *DNS_SmartProtocolReorder*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateSecurityLevel**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates.
+
+To use this policy setting, click Enabled and then select one of the following values:
+
+- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
+- Only unsecure - computers send only nonsecure dynamic updates.
+- Only secure - computers send only secure dynamic updates.
+
+If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Update security level*
+- GP name: *DNS_UpdateSecurityLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
+
+By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
+
+If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Update top level domain zones*
+- GP name: *DNS_UpdateTopLevelDomainZones*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UseDomainNameDevolution**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+
+Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
+
+If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix devolution*
+- GP name: *DNS_UseDomainNameDevolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/Turn_Off_Multicast**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+
+LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
+
+If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
+
+If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off multicast name resolution*
+- GP name: *Turn_Off_Multicast*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
new file mode 100644
index 0000000000..b964fbde10
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -0,0 +1,200 @@
+---
+title: Policy CSP - ADMX_EventForwarding
+description: Policy CSP - ADMX_EventForwarding
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EventForwarding
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EventForwarding policies
+
+
+ -
+ ADMX_EventForwarding/ForwarderResourceUsage
+
+ -
+ ADMX_EventForwarding/SubscriptionManager
+
+
+
+
+
+
+
+**ADMX_EventForwarding/ForwarderResourceUsage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
+
+If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.
+
+If you disable or do not configure this policy setting, forwarder resource usage is not specified.
+
+This setting applies across all subscriptions for the forwarder (source computer).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure forwarder resource usage*
+- GP name: *MaxForwardingRate*
+- GP path: *Windows Components/Event Forwarding*
+- GP ADMX file name: *EventForwarding.admx*
+
+
+
+
+
+
+
+
+**ADMX_EventForwarding/SubscriptionManager**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
+
+If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.
+
+Use the following syntax when using the HTTPS protocol:
+
+``` syntax
+
+Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=.
+```
+
+When using the HTTP protocol, use port 5985.
+
+If you disable or do not configure this policy setting, the Event Collector computer will not be specified.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure target Subscription Manager*
+- GP name: *SubscriptionManager*
+- GP path: *Windows Components/Event Forwarding*
+- GP ADMX file name: *EventForwarding.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index ccc641c6a3..eb4a7086d1 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationDefaults
-description: Policy CSP - ApplicationDefaults
+description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 6b55aa34e3..1f128f9b64 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationManagement
-description: Policy CSP - ApplicationManagement
+description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 6e15e10e88..2a224f8bfe 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AppRuntime
-description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime.
+description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 29788ea127..63cdb4036d 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AppVirtualization
-description: Policy CSP - AppVirtualization
+description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index cb2130e778..e808f11e13 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AttachmentManager
-description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local).
+description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index ffd4519182..7d0997f275 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Audit
-description: Policy CSP - Audit
+description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 96f9787790..51f56ffbbb 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Authentication
-description: Policy CSP - Authentication
+description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign in screen.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 36a05de8df..15b769497e 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Autoplay
-description: Policy CSP - Autoplay
+description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 28123a7dc0..6426fba5e8 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Bluetooth
-description: Policy CSP - Bluetooth
+description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 206e99f3db..d2c9190e0b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Browser
-description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier.
+description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier.
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 0def6900f0..93e5c5d6cf 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Camera
-description: Policy CSP - Camera
+description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 3d156b1c89..ccd0ab26c1 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Cellular
-description: Policy CSP - Cellular
+description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index ee83ad3d00..503ee130bc 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Connectivity
-description: Policy CSP - Connectivity
+description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index a822c7a831..9a867b0778 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ControlPolicyConflict
-description: Policy CSP - ControlPolicyConflict
+description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 425fcf361a..89e4817ce7 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialProviders
-description: Learn the policy CSP for credential provider set up, sign in, PIN requests and so on.
+description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index c8416c3bb9..71447f45ab 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialsDelegation
-description: Policy CSP - CredentialsDelegation
+description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 349800035d..5ccf34a12e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialsUI
-description: Policy CSP - CredentialsUI
+description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 55ceb74581..b141d4387b 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Cryptography
-description: Policy CSP - Cryptography
+description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 4c71a876a5..9da8c6ce2c 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DataProtection
-description: Policy CSP - DataProtection
+description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 28f919ead9..cb540b3415 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DataUsage
-description: Policy CSP - DataUsage
+description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index c2fb83fe51..79fe896cdf 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Defender
-description: Policy CSP - Defender
+description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index bdf3985bb6..4061074c76 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeliveryOptimization
-description: Policy CSP - DeliveryOptimization
+description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 0ade992a1d..dfbed26745 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Desktop
-description: Policy CSP - Desktop
+description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 163655f59f..2eae3ea3be 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceGuard
-description: Policy CSP - DeviceGuard
+description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -90,7 +90,7 @@ Secure Launch configuration:
- 1 - Enables Secure Launch if supported by hardware
- 2 - Disables Secure Launch.
-For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows).
+For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 8277ae0425..60d4832fae 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceHealthMonitoring
-description: Learn which DeviceHealthMonitoring policies are supported for your edition of Windows.
+description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5d67b14d8d..24c7b04cbf 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -2,7 +2,7 @@
title: Policy CSP - DeviceInstallation
ms.reviewer:
manager: dansimp
-description: Policy CSP - DeviceInstallation
+description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
ms.author: dansimp
ms.date: 09/27/2019
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f95a796932..f68a71f820 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceLock
-description: Policy CSP - DeviceLock
+description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 9645a371ac..82dbb630ae 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Display
-description: Policy CSP - Display
+description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index e5511ffaa0..0d8f6b40f8 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DmaGuard
-description: Policy CSP - DmaGuard
+description: Learn how to use the Policy CSP - DmaGuard setting to provide additional security against external DMA capable devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 9e12bc04e4..18cce493eb 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Education
-description: Control graphing functionality in the Windows Calculator app.
+description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index c450267337..e9d1cb8436 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EnterpriseCloudPrint
-description: Policy CSP - EnterpriseCloudPrint
+description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 79bbb1b92f..b4f27cc7c0 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ErrorReporting
-description: Policy CSP - ErrorReporting
+description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 17080a877e..d86bd44edc 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EventLogService
-description: Policy CSP - EventLogService
+description: Learn how to use the Policy CSP - EventLogService settting to control Event Log behavior when the log file reaches its maximum size.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index ff50088666..d9e072c7c3 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Experience
-description: Learn the various Experience policy CSP for Cortana, Sync, Spotlight and more.
+description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 1e1b072f7d..92829f957e 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ExploitGuard
-description: Policy CSP - ExploitGuard
+description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 993073f411..58b2bf5175 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - FileExplorer
-description: Policy CSP - FileExplorer
+description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 63eb04a5c3..f62143e2a6 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Games
-description: Policy CSP - Games
+description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 8893695276..dea9168e36 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Handwriting
-description: Policy CSP - Handwriting
+description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index a1b9bb2b78..c63c654abe 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - InternetExplorer
-description: Policy CSP - InternetExplorer
+description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 06023ba3f8..b5331fa661 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Kerberos
-description: Policy CSP - Kerberos
+description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 5bbe648950..be0176ca9b 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - KioskBrowser
-description: Policy CSP - KioskBrowser
+description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index 011b60a5d7..bb03f10884 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LanmanWorkstation
-description: Policy CSP - LanmanWorkstation
+description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest logons to an SMB server.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index c4e988fd6d..bfef6090cc 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Licensing
-description: Policy CSP - Licensing
+description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 81f3ae2ca6..bc065532ed 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LockDown
-description: Policy CSP - LockDown
+description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 87ede82676..34c246f134 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Maps
-description: Policy CSP - Maps
+description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 7835ef3d3c..d464f4c063 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - MSSecurityGuide
-description: See how this ADMX-backed policy requires a special SyncML format to enable or disable.
+description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index ad6734ce70..d4a5030052 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - MSSLegacy
-description: Policy CSP - MSSLegacy
+description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 3f42c5653f..95d9af4a93 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - NetworkIsolation
-description: Policy CSP - NetworkIsolation
+description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5da2930e76..d17cdbe1bc 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Power
-description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
+description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 9b20cf82c2..ca873b0393 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Privacy
-description: Policy CSP - Privacy
+description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 39e59b9ba2..340bef38c2 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteAssistance
-description: Policy CSP - RemoteAssistance
+description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index e4fefcbc62..a33ad83d33 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteDesktopServices
-description: Policy CSP - RemoteDesktopServices
+description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 6c88c68b12..fae950baec 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteManagement
-description: Policy CSP - RemoteManagement
+description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index d6b5c1ab71..493027a454 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteProcedureCall
-description: Policy CSP - RemoteProcedureCall
+description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they are making contains authentication information.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 534584eca6..ac6201611a 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteShell
-description: Policy CSP - RemoteShell
+description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 86a64acdd0..204cf968b0 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RestrictedGroups
-description: Policy CSP - RestrictedGroups
+description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index e23ac51307..5fe588c782 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Search
-description: Policy CSP - Search
+description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 81eb2aa84e..7c7feb1aeb 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Security
-description: Policy CSP - Security
+description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index f1ac63ed5f..762c801e6c 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ServiceControlManager
-description: Policy CSP - ServiceControlManager
+description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 6052b904e8..1e16989ede 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Settings
-description: Policy CSP - Settings
+description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 2c2fceffc1..2cdf136faf 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - SmartScreen
-description: Policy CSP - SmartScreen
+description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index aca2851f58..39cd9db038 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Speech
-description: Policy CSP - Speech
+description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 31872e9f67..0b6888322b 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Start
-description: Use this policy CSP to control the visibility of the Documents shortcut on the Start menu.
+description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 0afd39b6c8..52f43753a2 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Storage
-description: Policy CSP - Storage
+description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 73f8d6586a..9c05c19f4f 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 06/25/2020
+ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
---
@@ -28,9 +28,6 @@ manager: dansimp
-
System/AllowCommercialDataPipeline
- -
- System/AllowDesktopAnalyticsProcessing
-
-
System/AllowDeviceNameInDiagnosticData
@@ -46,24 +43,15 @@ manager: dansimp
-
System/AllowLocation
- -
- System/AllowMicrosoftManagedDesktopProcessing
-
-
System/AllowStorageCard
-
System/AllowTelemetry
- -
- System/AllowUpdateComplianceProcessing
-
-
System/AllowUserToResetPhone
- -
- System/AllowWUfBCloudProcessing
-
-
System/BootStartDriverInitialization
@@ -257,88 +245,7 @@ The following list shows the supported values:
-
-
-
-**System/AllowDesktopAnalyticsProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Desktop Analytics service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-ADMX Info:
-- GP English name: *Allow Desktop Analytics Processing*
-- GP name: *AllowDesktopAnalyticsProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Diagnostic data is not processed by Desktop Analytics.
-- 2 – Diagnostic data is allowed to be processed by Desktop Analytics.
-
-
-
-
-
-
-
-
-
-
-
-
**System/AllowDeviceNameInDiagnosticData**
@@ -691,71 +598,6 @@ The following list shows the supported values:
-
-**System/AllowMicrosoftManagedDesktopProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Microsoft Managed Desktop service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
-> [!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-The following list shows the supported values:
-
-- 0 (default)– Diagnostic data is not processed by Microsoft Managed Desktop.
-- 32 – Diagnostic data is processed by Microsoft Managed Desktop.
-
-
-
-
-
-
**System/AllowStorageCard**
@@ -950,78 +792,6 @@ ADMX Info:
-
-**System/AllowUpdateComplianceProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Update Compliance service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) setting to limit the diagnostic data that can be collected from the device.
-
-
-
-ADMX Info:
-- GP English name: *Enable Update Compliance Processing*
-- GP name: *AllowUpdateComplianceProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default)– Diagnostic data is not processed by Update Compliance.
-- 16 – Diagnostic data is allowed to be processed by Update Compliance.
-
-
-
-
-
**System/AllowUserToResetPhone**
@@ -1081,71 +851,6 @@ The following list shows the supported values:
-
-
-**System/AllowWUfBCloudProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Windows Update for Business cloud service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-
-The following list shows the supported values:
-- 0 (default) – Diagnostic data is not processed by Windows Update for Business cloud.
-- 8 – Diagnostic data is allowed to be processed by Windows Update for Business cloud.
-
-
-
-
-
**System/BootStartDriverInitialization**
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 19836d1ca5..a7f98a6c0c 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - SystemServices
-description: Policy CSP - SystemServices
+description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 9787467c21..ce84398393 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TaskManager
-description: Policy CSP - TaskManager
+description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 44a8f08bdd..ab6ec4d46c 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TaskScheduler
-description: Policy CSP - TaskScheduler
+description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index e1799a0c16..99360d692b 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TextInput
-description: Policy CSP - TextInput
+description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index d029929145..8ef9349148 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TimeLanguageSettings
-description: Learn which TimeLanguageSettings policies are supported for your edition of Windows.
+description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 881b9b3a43..c7862d0866 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Troubleshooting
-description: Policy CSP - Troubleshooting
+description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index d9187a1854..38e9dd4066 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Update
-description: Manage a range of active hours for when update reboots are not scheduled.
+description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 73f3dfd843..df12efd32b 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - UserRights
-description: Policy CSP - UserRights
+description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 770316e0bc..db63da7a5a 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Wifi
-description: Policy CSP - Wifi
+description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 4cbed0f5f3..4f89b78bcf 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsConnectionManager
-description: Policy CSP - WindowsConnectionManager
+description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain based network and a non-domain based network simultaneously.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index d2c74ba941..a4cd3536f0 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsDefenderSecurityCenter
-description: Policy CSP - WindowsDefenderSecurityCenter
+description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index bc97e2e774..e60269d795 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsInkWorkspace
-description: Policy CSP - WindowsInkWorkspace
+description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index d3793a4bb7..c7ccb54106 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsLogon
-description: Policy CSP - WindowsLogon
+description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index cc4f87b917..b60def1361 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsPowerShell
-description: Policy CSP - WindowsPowerShell
+description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index eb74f99772..3aff9aac6c 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WirelessDisplay
-description: Policy CSP - WirelessDisplay
+description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md
index fed6d0138d..6e3d43c649 100644
--- a/windows/client-management/mdm/policy-csps-admx-backed.md
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/18/2019
+ms.date: 08/18/2020
---
# ADMX-backed policy CSPs
@@ -21,6 +21,51 @@ ms.date: 07/18/2019
>
- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory)
+- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy)
+- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet)
+- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork)
+- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage)
+- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms)
+- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage)
+- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage)
+- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices)
+- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo)
+- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage)
+- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach)
+- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage)
+- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry)
+- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback)
+- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine)
+- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1)
+- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2)
+- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord)
+- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory)
+- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline)
+- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
+- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
+- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain)
+- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel)
+- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding)
+- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping)
+- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver)
+- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns)
+- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix)
+- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername)
+- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup)
+- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled)
+- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict)
+- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval)
+- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl)
+- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist)
+- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution)
+- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder)
+- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel)
+- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones)
+- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution)
+- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast)
+- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage)
+- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager)
- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
@@ -406,8 +451,6 @@ ms.date: 07/18/2019
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/AllowDesktopAnalyticsProcessing](./policy-csp-system.md#system-allowdesktopanalyticsprocessing)
-- [System/AllowUpdateComplianceProcessing](./policy-csp-system.md#system-allowppdatecomplianceprocessing)
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 7a522ee312..27c1aceaf0 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Policy DDF file
-description: Policy DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md
index ad4bb24be7..656e292b4e 100644
--- a/windows/client-management/mdm/policymanager-csp.md
+++ b/windows/client-management/mdm/policymanager-csp.md
@@ -1,6 +1,6 @@
---
title: PolicyManager CSP
-description: PolicyManager CSP
+description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP.
ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md
index cced09bc2b..c1d9034fe8 100644
--- a/windows/client-management/mdm/proxy-csp.md
+++ b/windows/client-management/mdm/proxy-csp.md
@@ -1,6 +1,6 @@
---
title: PROXY CSP
-description: PROXY CSP
+description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections.
ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index e7cb92b9c4..d906bca3da 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,6 +1,6 @@
---
title: Reboot CSP
-description: Reboot CSP
+description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings.
ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md
index 61d34774a7..4978cc70e0 100644
--- a/windows/client-management/mdm/registry-csp.md
+++ b/windows/client-management/mdm/registry-csp.md
@@ -1,6 +1,6 @@
---
title: Registry CSP
-description: Registry CSP
+description: In this article, learn how to use the Registry configuration service provider (CSP) to update registry settings.
ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d
ms.reviewer:
manager: dansimp
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider.
-> **Note** The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
+> [!NOTE]
+> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
@@ -32,13 +33,12 @@ For OMA Client Provisioning, the follows notes apply:
- This documentation describes the default characteristics. Additional characteristics may be added.
-- Because the **Registry** configuration service provider uses the backslash (\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\).
+- Because the **Registry** configuration service provider uses the backslash (\\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\\).
The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators.
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
@@ -75,11 +75,10 @@ The following table shows the Microsoft custom elements that this configuration
-
Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements.
-## Supported Data Types
+## Supported Data Types
The following table shows the data types this configuration service provider supports.
diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md
index 164f8d4a66..6b6bc9c191 100644
--- a/windows/client-management/mdm/registry-ddf-file.md
+++ b/windows/client-management/mdm/registry-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Registry DDF file
-description: Registry DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Registry configuration service provider (CSP).
ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md
index 2408353c86..d740994fc1 100644
--- a/windows/client-management/mdm/remotelock-ddf-file.md
+++ b/windows/client-management/mdm/remotelock-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RemoteLock DDF file
-description: RemoteLock DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RemoteLock configuration service provider (CSP).
ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 726df442f0..999d8b629e 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -1,6 +1,6 @@
---
title: RemoteRing CSP
-description: RemoteRing CSP
+description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 3ee8a2cd21..efd8cdac2b 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,6 +1,6 @@
---
title: RemoteWipe CSP
-description: RemoteWipe CSP
+description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device.
ms.assetid: 6e89bd37-7680-4940-8a67-11ed062ffb70
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 12a8de389a..36a83bee33 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RemoteWipe DDF file
-description: RemoteWipe DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider.
ms.assetid: 10ec4fb7-f911-4d0c-9a8f-e96bf5faea0c
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index 1b4f1ec6bc..ad6dd045e3 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
title: REST API reference for Microsoft Store for Business
-description: REST API reference for Microsoft Store for Business--includes available operations and data structures.
+description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 132e196cc0..1c5b7912aa 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,6 +1,6 @@
---
title: RootCATrustedCertificates CSP
-description: RootCATrustedCertificates CSP
+description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates.
ms.assetid: F2F25DEB-9DB3-40FB-BC3C-B816CE470D61
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index a80fb75af6..166dfc0d43 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RootCATrustedCertificates DDF file
-description: RootCATrustedCertificates DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP).
ms.assetid: 06D8787B-D3E1-4D4B-8A21-8045A8F85C1C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index 7d972a5a96..6585261229 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,6 +1,6 @@
---
title: SecureAssessment CSP
-description: SecureAssessment CSP
+description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser.
ms.assetid: 6808BE4B-961E-4638-BF15-FD7841D1C00A
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 9b8b3ce65d..9e203d4d39 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -1,6 +1,6 @@
---
title: SecurityPolicy CSP
-description: SecurityPolicy CSP
+description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
ms.assetid: 6014f8fe-f91b-49f3-a357-bdf625545bc9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md
index 50b8b73b30..032469c901 100644
--- a/windows/client-management/mdm/server-requirements-windows-mdm.md
+++ b/windows/client-management/mdm/server-requirements-windows-mdm.md
@@ -1,6 +1,6 @@
---
title: Server requirements for using OMA DM to manage Windows devices
-description: Server requirements for using OMA DM to manage Windows devices
+description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
MS-HAID:
- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm'
- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm'
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index b9ea9c1767..61e26ea7a0 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,6 +1,6 @@
---
title: SharedPC DDF file
-description: SharedPC DDF file
+description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
ms.assetid: 70234197-07D4-478E-97BB-F6C651C0B970
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md
index 6ed19c97e1..3cb5d8920c 100644
--- a/windows/client-management/mdm/storage-csp.md
+++ b/windows/client-management/mdm/storage-csp.md
@@ -1,6 +1,6 @@
---
title: Storage CSP
-description: Storage CSP
+description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings.
ms.assetid: b19bdb54-53ed-42ce-a5a1-269379013f57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md
index 9d9be94f93..17340fbf2d 100644
--- a/windows/client-management/mdm/storage-ddf-file.md
+++ b/windows/client-management/mdm/storage-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Storage DDF file
-description: See how storage configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP).
ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
index 0e0293bca8..2b482383bd 100644
--- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
@@ -1,6 +1,6 @@
---
title: Structure of OMA DM provisioning files
-description: Structure of OMA DM provisioning files
+description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
ms.assetid: 7bd3ef57-c76c-459b-b63f-c5a333ddc2bc
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 28d0b9c42e..45e335fdf9 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,6 +1,6 @@
---
title: SUPL CSP
-description: SUPL CSP
+description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client.
ms.assetid: afad0120-1126-4fc5-8e7a-64b9f2a5eae1
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index ad901702a5..b064d57b68 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -1,6 +1,6 @@
---
title: TenantLockdown DDF file
-description: XML file containing the device description framework for the TenantLockdown configuration service provider.
+description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 36f46f9df1..f97ea96a00 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -1,6 +1,6 @@
---
title: TPMPolicy CSP
-description: TPMPolicy CSP
+description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
index fcdb101ad2..fd463047e0 100644
--- a/windows/client-management/mdm/tpmpolicy-ddf-file.md
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -1,6 +1,6 @@
---
title: TPMPolicy DDF file
-description: TPMPolicy DDF file
+description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index 808685d36d..1432ef811a 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -1,6 +1,6 @@
---
title: UEFI DDF file
-description: UEFI DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 310b0192c6..183c89df6d 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -1,6 +1,6 @@
---
title: Update CSP
-description: Update CSP
+description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates.
ms.assetid: F1627B57-0749-47F6-A066-677FDD3D7359
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 731adeeb60..44f580cb4f 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Update DDF file
-description: Update DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP).
ms.assetid: E236E468-88F3-402A-BA7A-834ED38DD388
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 7b8f154145..60702d4f69 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -1,6 +1,6 @@
---
title: VPN CSP
-description: VPN CSP
+description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 05ca946a-1c0b-4e11-8d7e-854e14740707
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index b3e8aef28c..889a2f8f25 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -1,6 +1,6 @@
---
title: VPN DDF file
-description: VPN DDF file
+description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP).
ms.assetid: 728FCD9C-0B8E-413B-B54A-CD72C9F2B9EE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index c7555d45bf..df6b648e6e 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,6 +1,6 @@
---
title: VPNv2 CSP
-description: VPNv2 CSP
+description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e4c93ad525..51a1739756 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -1,6 +1,6 @@
---
title: w4 APPLICATION CSP
-description: w4 APPLICATION CSP
+description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
ms.assetid: ef42b82a-1f04-49e4-8a48-bd4e439fc43a
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index eff35b4fd4..20f21f79bc 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -1,6 +1,6 @@
---
title: w7 APPLICATION CSP
-description: w7 APPLICATION CSP
+description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account.
ms.assetid: 10f8aa16-5c89-455d-adcd-d7fb45d4e768
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 70f5a31c7c..174c633ba4 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,6 +1,6 @@
---
title: WiFi CSP
-description: The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device.
+description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device.
ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index 2c51e50a62..8dff039754 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WiFi DDF file
-description: WiFi DDF file
+description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP).
ms.assetid: 00DE1DA7-23DE-4871-B3F0-28EB29A62D61
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index abcbb92914..f6b422ce6d 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -1,6 +1,6 @@
---
title: Win32AppInventory CSP
-description: Win32AppInventory CSP
+description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device.
ms.assetid: C0DEDD51-4EAD-4F8E-AEE2-CBE9658BCA22
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index b22b7284fa..1f20685d75 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Win32AppInventory DDF file
-description: See the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP).
ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 2570e65b3d..be248b783d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -1,6 +1,6 @@
---
-title: Win32CompatibilityAppraiser CSP
-description:
+title: Win32CompatibilityAppraiser CSP
+description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 2508fa2863..c68424cd04 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection CSP
-description: WindowsAdvancedThreatProtection CSP
+description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
ms.assetid: 6C3054CA-9890-4C08-9DB6-FBEEB74699A8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 583ea67e75..5877c32e22 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection DDF file
-description: WindowsAdvancedThreatProtection DDF file
+description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 63373c2a34..59f3f7c19e 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -30,9 +30,11 @@ Turn on Microsoft Defender Application Guard in Enterprise Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
-- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
-- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
+The following list shows the supported values:
+- 0 - Disable Microsoft Defender Application Guard
+- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
+- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY
+- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments
**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
@@ -297,4 +299,4 @@ ADMX Info:
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index e519d6dcd8..847d9d69c8 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard DDF file
-description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider.
+description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 58a5040b72..b46f76e935 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,6 +1,6 @@
---
title: WindowsLicensing CSP
-description: WindowsLicensing CSP
+description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios.
ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index c5037971d9..7b8cb3437e 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsLicensing DDF file
-description: WindowsLicensing DDF file
+description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP).
ms.assetid: 2A24C922-A167-4CEE-8F74-08E7453800D2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 3462504a92..4693bb6596 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -1,6 +1,6 @@
---
title: New policies for Windows 10 (Windows 10)
-description: Windows 10 includes the following new policies for management.
+description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index d0806c95e1..4f7a2555e1 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -1,6 +1,6 @@
---
title: Configure system failure and recovery options in Windows
-description: Learn about the system failure and recovery options in Windows.
+description: Learn how to configure the actions that Windows takes when a system error occurs and what the recovery options are.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 667776a7f8..0bdc744338 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -1,6 +1,6 @@
---
title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device
-description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
+description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer,
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md
index 57398a2764..7ff85215fe 100644
--- a/windows/client-management/troubleshoot-networking.md
+++ b/windows/client-management/troubleshoot-networking.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows networking
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot networking
+description: Learn about the topics that are available to help you troubleshoot common problems related to Windows networking.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 3fe73d34ec..7eabdf0411 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Stop error or blue screen error issue
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot Stop error or blue screen issues.
+description: Learn advanced options for troubleshooting Stop errors, also known as blue screen errors or bug check errors.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index fe6e32ce59..0d4f00510a 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot TCP/IP connectivity
-description: Learn how to troubleshoot TCP/IP connectivity.
+description: Learn how to troubleshoot TCP/IP connectivity and what you should do if you come across TCP reset in a network capture.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index a33d808d2f..40c0ff98c2 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot port exhaustion issues
-description: Learn how to troubleshoot port exhaustion issues.
+description: Learn how to troubleshoot port exhaustion issues. Port exhaustion occurs when all the ports on a machine are used.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 7fd5ff086f..37b4dfa002 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Remote Procedure Call (RPC) errors
-description: Learn how to troubleshoot Remote Procedure Call (RPC) errors
+description: Learn how to troubleshoot Remote Procedure Call (RPC) errors when connecting to Windows Management Instrumentation (WMI), SQL Server, or during a remote connection.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md
index 378c042899..48a95cd4e0 100644
--- a/windows/client-management/troubleshoot-tcpip.md
+++ b/windows/client-management/troubleshoot-tcpip.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for TCP/IP issues
-description: Learn how to troubleshoot common problems in a TCP/IP network environment.
+description: Learn how to troubleshoot common problems in a TCP/IP network environment, for example by collecting data using Network monitor.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 3a584ddb8f..b50e43abae 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows-based computer freeze issues
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers.
+description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers. Also, you can learn how to diagnose, identify, and fix these issues.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md
index 0e39db4b3f..bd9f09bfd0 100644
--- a/windows/client-management/troubleshoot-windows-startup.md
+++ b/windows/client-management/troubleshoot-windows-startup.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for Windows start-up issues
-description: Learn how to troubleshoot Windows start-up issues.
+description: Learn advanced options for how to troubleshoot common Windows start-up issues, like system crashes and freezes.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 8c30018235..671e14612b 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting Windows 10
-description: Get links to troubleshooting articles for Windows 10 issues
+description: Learn where to find information about troubleshooting Windows 10 issues, for example Bitlocker issues and bugcheck errors.
ms.reviewer: kaushika
manager: dansimp
ms.prod: w10
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 700b2a16cc..875beb0290 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -2,7 +2,7 @@
title: Change history for Configure Windows 10 (Windows 10)
ms.reviewer:
manager: dansimp
-description: View changes to documentation for configuring Windows 10.
+description: Learn about new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 0a333370c9..fe5186f6cf 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
-description: Windows 10 has a brand new Start experience.
+description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 037e389943..1e6ec5db4b 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -1,6 +1,6 @@
---
title: Configure Windows 10 taskbar (Windows 10)
-description: Admins can pin apps to users' taskbars.
+description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
keywords: ["taskbar layout","pin apps"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 9b2fcfb9c3..d89ff3d90b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -1,6 +1,6 @@
---
title: Send feedback about Cortana at work back to Microsoft
-description: How to send feedback to Microsoft about Cortana at work.
+description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues..
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 5158bc4ada..5d8a6999f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -32,11 +32,11 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
>[!NOTE]
>A microphone isn't required to use Cortana.
-|**Software** |**Minimum version** |
+| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
-|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
+|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
+|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
## Signing in using Azure AD
@@ -55,7 +55,7 @@ Cortana enterprise services that can be accessed using Azure AD through Cortana
The table below describes the data handling for Cortana enterprise services.
-|**Name** |**Description** |
+| Name | Description |
|---------|---------|
|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. |
|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
@@ -66,7 +66,7 @@ The table below describes the data handling for Cortana enterprise services.
#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index de5e546244..e2dfea47f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
---
-title: Sign-in to Azure AD and manage notebook with Cortana (Windows 10)
+title: Sign into Azure AD, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: w10
ms.mktglfcycl: manage
@@ -7,7 +7,6 @@ ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
-ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
@@ -15,7 +14,7 @@ manager: dansimp
# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
@@ -23,13 +22,13 @@ manager: dansimp
3. Toggle **Wake word** to **On** and close Cortana.
-4. Say **Cortana, what can you do?**.
+4. Say **Cortana, what can you do?**
-When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
+ When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
-:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+ :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
-Once you finish saying your query, Cortana will open with the result.
+ Once you finish saying your query, Cortana will open with the result.
>[!NOTE]
->If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
\ No newline at end of file
+>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index c319385e70..0ff39ff4c9 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -3,7 +3,7 @@ title: Configure kiosks and digital signs on Windows desktop editions (Windows 1
ms.reviewer:
manager: dansimp
ms.author: dansimp
-description: Learn about the methods for configuring kiosks.
+description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index f4825a951e..f7be8e35d2 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -1,6 +1,6 @@
---
title: Prepare a device for kiosk configuration (Windows 10)
-description: Some tips for device settings on kiosks.
+description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index 6a42e81700..479b7ca96e 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot kiosk mode issues (Windows 10)
-description: Tips for troubleshooting multi-app kiosk configuration.
+description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 34b8124fa2..02e0fbc422 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -1,6 +1,6 @@
---
title: Validate kiosk configuration (Windows 10)
-description: Learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
+description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 3de98a5454..f82225a7fe 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,6 +1,6 @@
---
title: Provision PCs with apps (Windows 10)
-description: Add apps to a Windows 10 provisioning package.
+description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 035bdf4010..5b464073a9 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,6 +1,6 @@
---
title: Create a provisioning package (Windows 10)
-description: Learn how to create a provisioning package for Windows 10. Provisioning packages let you quickly configure a device without having to install a new image.
+description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -21,44 +21,46 @@ manager: dansimp
- Windows 10
- Windows 10 Mobile
-You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
+You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
->[!TIP]
->We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain.
+> [!TIP]
+> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain.
## Start a new project
1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
+ - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
or
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+ - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**.
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
- - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards).
+ - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices:
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
+
+ Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards).
- - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.*
+ - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.)
>[!TIP]
> You can start a project in the simple wizard editor and then switch the project to the advanced editor.
>
> 
-3. Enter a name for your project, and then click **Next**.
+3. Enter a name for your project, and then select **Next**.
-4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options.
+4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options.
| Windows edition | Settings available for customization | Provisioning package can apply to |
@@ -71,12 +73,12 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
-5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**.
+5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**.
>[!TIP]
->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
+>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly.
-After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package.
+6. In the **Available customizations** pane, you can now configure settings for the package.
@@ -94,7 +96,7 @@ The process for configuring settings is similar for all settings. The following
 Expand a category. |  |
 Select a setting. |  |
- Enter a value for the setting. Click Add if the button is displayed. |  |
+| Enter a value for the setting. Select Add if the button is displayed. | |
 Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed. |  |
 When the setting is configured, it is displayed in the Selected customizations pane. |  |
@@ -106,39 +108,39 @@ For details on each specific setting, see [Windows Provisioning settings referen
## Build package
-1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
+1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
-2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
+2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
- - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field.
+ - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field.
- **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
- **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
-3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
+3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
- **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
- - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+ - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
>[!NOTE]
- >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
+ >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
>
>If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
-4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
+4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
-5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
- If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
+ If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page.
-6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
-7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
+7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page.
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index f1bf1aa323..6fc7d6234f 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,6 +1,6 @@
---
title: Install Windows Configuration Designer (Windows 10)
-description: Learn how to install and run Windows Configuration Designer.
+description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index beff0509a7..37c8bc44ec 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Start menu errors
-description: Troubleshoot common errors related to Start menu in Windows 10.
+description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index e6a50b2114..110c062f57 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -1,6 +1,6 @@
---
title: Administering UE-V with Windows PowerShell and WMI
-description: Administering UE-V with Windows PowerShell and WMI
+description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 16154765ea..1b5004453a 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -1,6 +1,6 @@
---
title: Administering UE-V
-description: Administering UE-V
+description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index f9fb4b255a..6ca0f295e0 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -1,6 +1,6 @@
---
title: Application Template Schema Reference for UE-V
-description: Application Template Schema Reference for UE-V
+description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 63eb702d7d..508ec913ff 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -1,6 +1,6 @@
---
title: Changing the Frequency of UE-V Scheduled Tasks
-description: Changing the Frequency of UE-V Scheduled Tasks
+description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index fbaeb69dbf..169e31075f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -1,6 +1,6 @@
---
title: Configuring UE-V with Group Policy Objects
-description: Configuring UE-V with Group Policy Objects
+description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index f7f8d70fcd..f4ea6d2a5f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Configuring UE-V with Microsoft Endpoint Configuration Manager
-description: Configuring UE-V with Microsoft Endpoint Configuration Manager
+description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index b8b4cb2155..04cf9543e9 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -1,6 +1,6 @@
---
title: Deploy required UE-V features
-description: Deploy required UE-V features
+description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 918e018c48..8e69dc7cf3 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -1,6 +1,6 @@
---
title: Use UE-V with custom applications
-description: Use UE-V with custom applications
+description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index d67437503a..28a035aedc 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -1,6 +1,6 @@
---
title: Get Started with UE-V
-description: Get Started with UE-V
+description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 9b68ba56df..375f826703 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -1,6 +1,6 @@
---
title: Manage Administrative Backup and Restore in UE-V
-description: Manage Administrative Backup and Restore in UE-V
+description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 71d5841793..7189998439 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -1,6 +1,6 @@
---
title: Manage Configurations for UE-V
-description: Manage Configurations for UE-V
+description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 4ed5adc8a9..f9658f41a1 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -1,6 +1,6 @@
---
title: Migrating UE-V settings packages
-description: Migrating UE-V settings packages
+description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index c56e5b4661..e10d20444a 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -1,6 +1,6 @@
---
title: Prepare a UE-V Deployment
-description: Prepare a UE-V Deployment
+description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index d61075e1bd..663afd38eb 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -1,6 +1,6 @@
---
title: User Experience Virtualization (UE-V) Release Notes
-description: Read the latest information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation.
+description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index a036b1fb3a..c45565ed5f 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -1,6 +1,6 @@
---
title: Security Considerations for UE-V
-description: Security Considerations for UE-V
+description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index ebe670eed2..02d1e1d9af 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -1,6 +1,6 @@
---
title: Sync Methods for UE-V
-description: Sync Methods for UE-V
+description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index 3dc4b9727d..0db2a582f4 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -1,6 +1,6 @@
---
title: Sync Trigger Events for UE-V
-description: Sync Trigger Events for UE-V
+description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 3bf783b488..32ed4968bb 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -1,6 +1,6 @@
---
title: Synchronizing Microsoft Office with UE-V
-description: Synchronizing Office with UE-V
+description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index 5edddf9109..8f0feaabbc 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Technical Reference for UE-V
-description: Technical Reference for UE-V
+description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index 9683bd771d..7e51868298 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting UE-V
-description: Find resources for troubleshooting UE-V for Windows 10.
+description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index c17b9cedb8..09d5d2ace3 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -1,6 +1,6 @@
---
title: What's New in UE-V for Windows 10, version 1607
-description: What's New in UE-V for Windows 10, version 1607
+description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index c5fc3f7733..5fcc9f5c5c 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -44,7 +44,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
- **Feature suggestions, fun facts, tips**
- The lock screen background will occasionally make reccomendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
+ The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 27f6ebfdc9..b558969815 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -44,7 +44,7 @@
- name: Define your servicing strategy
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows 10 updates
- href: update/waas-delivery-optimization-reference.md
+ href: update/waas-delivery-optimization.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index e90d44c1b5..c28a60db3e 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -3,7 +3,7 @@ title: Deploy Windows 10 with Microsoft 365
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Concepts about deploying Windows 10 for M365
+description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index cff09982d3..519ec80cf3 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Changes and new features related to Windows 10 deployment
+description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization.
keywords: deployment, automate, tools, configure, news
ms.mktglfcycl: deploy
ms.localizationpriority: medium
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 9480bdbc84..e0be07468b 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows To Go in your organization (Windows 10)
-description: This topic helps you to deploy Windows To Go in your organization.
+description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface as well as programatically with Windows PowerShell.
ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index f665e396be..5afc9307e1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 (Windows 10)
-description: Learn Windows 10 upgrade options for planning, testing, and managing your production deployment.
+description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 90f83f5802..94f57a06d9 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -1,6 +1,6 @@
---
title: MBR2GPT
-description: How to use the MBR2GPT tool to convert MBR partitions to GPT
+description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk.
keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
index 41c34aec02..36a7463bcc 100644
--- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Best practice recommendations for Windows To Go (Windows 10)
-description: Best practice recommendations for Windows To Go
+description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available.
ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 8724e8278a..13c1aa16fd 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Deployment considerations for Windows To Go (Windows 10)
-description: Deployment considerations for Windows To Go
+description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go.
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index a59b98bcff..0f635b9f80 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -1,6 +1,6 @@
---
title: Windows 10 features lifecycle
-description: Learn about the lifecycle of Windows 10 features
+description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index bd70149a69..65c52cf2dd 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -1,6 +1,6 @@
---
title: Windows 10 - Features that have been removed
-description: Learn about features and functionality that has been removed or replaced in Windows 10
+description: In this article, learn about the features and functionality that have been removed or replaced in Windows 10.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md
index 5c72afc8c0..a23c157317 100644
--- a/windows/deployment/update/feature-update-conclusion.md
+++ b/windows/deployment/update/feature-update-conclusion.md
@@ -1,6 +1,6 @@
---
title: Best practices for feature updates - conclusion
-description: Final thoughts about how to deploy feature updates
+description: This article includes final thoughts about how to deploy and stay up-to-date with Windows 10 feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 5e3223976c..2df56fa684 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -1,6 +1,6 @@
---
title: Best practices - deploy feature updates during maintenance windows
-description: Learn how to deploy feature updates during a maintenance window
+description: Learn how to configure maintenance windows and how to deploy feature updates during a maintenance window.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 760c0f0182..69b91b9184 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -1,6 +1,6 @@
---
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
-description: Learn how to deploy feature updates to your mission-critical devices
+description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index e22be01edd..254703b4dc 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,6 +1,6 @@
---
title: Best practices - deploy feature updates for user-initiated installations
-description: Learn how to manually deploy feature updates
+description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index adb1e56155..232fb2748c 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -1,6 +1,6 @@
---
title: Olympia Corp enrollment guidelines
-description: Olympia Corp enrollment guidelines
+description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows 10 device or an Azure Active Directory-JOINED Windows 10 device.
ms.author: jaimeo
ms.topic: article
ms.prod: w10
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index c3c6abb633..1fa0437e08 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -2,7 +2,7 @@
title: Delivery Optimization in Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: new Delivery Optimization data displayed in Update Compliance
+description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 312c0ec84c..6be6180063 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: laurawi
-description: Find the latest status of feature updates with an overview of the Feature Update Status report.
+description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index f17250eec3..78b60d2c7a 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -2,8 +2,7 @@
title: Update Compliance - Need Attention! report
ms.reviewer:
manager: laurawi
-description: an overview of the Update Compliance Need Attention! report
-ms.prod: w10
+description: Learn how the Needs attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 67cc9067ac..5396a3f77c 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Security Update Status report
ms.reviewer:
manager: laurawi
-description: an overview of the Security Update Status report
+description: Learn how the Security Update Status section provides information about security updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index b61cef1778..09cf255a00 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -2,7 +2,7 @@
title: Using Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: Explains how to begin using Update Compliance.
+description: Learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index e1866cfcc0..0031ab8ee0 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,6 +1,6 @@
---
title: Manage device restarts after updates (Windows 10)
-description: tbd
+description: Use Group Policy settings, mobile device management (MDM) or Registry to configure when devices will restart after a Windows 10 update is installed.
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 2eae42de3a..e9be73508c 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,6 +1,6 @@
---
title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
-description: tbd
+description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM .
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index eb75d04c0c..471073ea8f 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -1,6 +1,6 @@
---
title: Windows Update error code list by component
-description: Reference information for Windows Update error codes
+description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 32d22bb62b..68d6b72b20 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -1,6 +1,6 @@
---
title: Windows Update log files
-description: Learn about the Windows Update log files
+description: Learn about the Windows Update log files and how to merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 17dce5c494..49b83d23f1 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -1,6 +1,6 @@
---
title: Windows Update - Additional resources
-description: Use these resource to troubleshoot and reset Windows Update.
+description: In this article, learn details about to troubleshooting WSUS and resetting Windows Update components manually.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index f2f001b980..32b31d106f 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Windows Update troubleshooting
-description: Learn how to troubleshoot Windows Update
+description: Learn about troubleshooting Windows Update, issues related to HTTP/Proxy, and why some features are offered and others aren't.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@@ -19,9 +19,13 @@ ms.topic: article
If you run into problems when using Windows Update, start with the following steps:
1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
+
2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU.
+
3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
+ - [Windows 10, version 2004 and Windows Server, version 2004](https://support.microsoft.com/help/4555932)
+ - [Windows 10, version 1909 and Windows Server, version 1909](https://support.microsoft.com/help/4529964)
- [Windows 10, version 1903 and Windows Server, version 1903](https://support.microsoft.com/help/4498140)
- [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history)
- [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history)
@@ -49,8 +53,11 @@ If the update you're offered isn't the most current available, it might be becau
## My device is frozen at scan. Why?
The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following:
+
1. Close the Settings app and reopen it.
+
2. Launch Services.msc and check if the following services are running:
+
- Update State Orchestrator
- Windows Update
@@ -164,7 +171,7 @@ Check that your device can access these Windows Update endpoints:
## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager)
Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
-1. Start Windows PowerShell as an administrator
+1. Start Windows PowerShell as an administrator.
2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager".
3. Run \$MUSM.Services.
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index 49657d8483..0fc1330492 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -1,6 +1,6 @@
---
title: Setting up Automatic Update in Windows Update for Business (Windows 10)
-description: Learn how to configure Automatic Update group policies in Windows Update for Business.
+description: In this article, learn how to configure Automatic Update in Windows Update for Business with group policies.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md
index 9956826543..de44721666 100644
--- a/windows/deployment/update/wufb-onboard.md
+++ b/windows/deployment/update/wufb-onboard.md
@@ -1,6 +1,6 @@
---
title: Onboarding to Windows Update for Business (Windows 10)
-description: Learn how to get started using Windows Update for Business.
+description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 91c5da4243..080018fb21 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -1,6 +1,6 @@
---
title: Windows Upgrade and Migration Considerations (Windows 10)
-description: Windows Upgrade and Migration Considerations
+description: Discover the Microsoft tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.
ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 4b6585af49..0a5069eff9 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -1,6 +1,6 @@
---
title: Migrate Application Settings (Windows 10)
-description: Migrate Application Settings
+description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml.
ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index c5a12de2fc..84a87a0aac 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -1,6 +1,6 @@
---
title: Migration Store Types Overview (Windows 10)
-description: Migration Store Types Overview
+description: Learn about the migration store types and how to determine which migration store type best suits your needs.
ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 2eab7ea7b8..9e83bf7287 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -1,6 +1,6 @@
---
title: Offline Migration Reference (Windows 10)
-description: Offline Migration Reference
+description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings.
ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index d21fac244a..eebb4c23d3 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -1,6 +1,6 @@
---
title: Understanding Migration XML Files (Windows 10)
-description: Modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
+description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 48782e0bdc..81f3d94585 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -1,6 +1,6 @@
---
title: USMT Best Practices (Windows 10)
-description: USMT Best Practices
+description: Learn about general and security-related best practices when using User State Migration Tool (USMT) 10.0.
ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 682ad7ff15..6985683c08 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -1,6 +1,6 @@
---
title: Choose a Migration Store Type (Windows 10)
-description: Choose a Migration Store Type
+description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization.
ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 045feda6ef..85adbc467d 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -1,6 +1,6 @@
---
title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
-description: User State Migration Tool (USMT) Command-line Syntax
+description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool.
ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 3800f43309..44a264cb28 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -1,6 +1,6 @@
---
title: Common Issues (Windows 10)
-description: Common Issues
+description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools.
ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index db0aad8633..6a280b171a 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -1,6 +1,6 @@
---
title: Config.xml File (Windows 10)
-description: Config.xml File
+description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool.
ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 5b40bd3e9d..660d157cfc 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -1,6 +1,6 @@
---
title: Conflicts and Precedence (Windows 10)
-description: Conflicts and Precedence
+description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence.
ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 66f4f18511..5314d52e8e 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -1,6 +1,6 @@
---
title: Custom XML Examples (Windows 10)
-description: Custom XML Examples
+description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder.
ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 8eb09c18ae..37708b7766 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -1,6 +1,6 @@
---
title: Customize USMT XML Files (Windows 10)
-description: Customize USMT XML Files
+description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT.
ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 45bad6ef55..f429351369 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -1,6 +1,6 @@
---
title: Exclude Files and Settings (Windows 10)
-description: Exclude Files and Settings
+description: In this article, learn how to exclude files and settings when creating a custom .xml file and a config.xml file.
ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 3033623b75..a6d6154a83 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -1,6 +1,6 @@
---
title: Extract Files from a Compressed USMT Migration Store (Windows 10)
-description: Extract Files from a Compressed USMT Migration Store
+description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store.
ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md
index ff083650c6..97be09803c 100644
--- a/windows/deployment/usmt/usmt-faq.md
+++ b/windows/deployment/usmt/usmt-faq.md
@@ -1,6 +1,6 @@
---
title: Frequently Asked Questions (Windows 10)
-description: Frequently Asked Questions
+description: Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 419b5652f7..49cbfc3f28 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -1,6 +1,6 @@
---
title: General Conventions (Windows 10)
-description: General Conventions
+description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior.
ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
ms.reviewer:
manager: laurawi
@@ -35,7 +35,7 @@ Before you modify the .xml files, become familiar with the following guidelines:
You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
-- **Conflits**
+- **Conflicts**
In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 03499dcd72..441dccf3f7 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -1,6 +1,6 @@
---
title: How USMT Works (Windows 10)
-description: How USMT Works
+description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState.
ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
ms.reviewer:
manager: laurawi
@@ -10,7 +10,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
ms.topic: article
---
@@ -19,17 +18,13 @@ ms.topic: article
USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
-- [ScanState Process](#bkmk-ssprocess)
-
-- [LoadState Process](#bkmk-lsprocess)
+- [ScanState Process](#the-scanstate-process)
+- [LoadState Process](#the-loadstate-process)
**Note**
- For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-
-
-## The ScanState Process
+ For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+## The ScanState Process
When you run the ScanState tool on the source computer, it goes through the following process:
@@ -40,9 +35,7 @@ When you run the ScanState tool on the source computer, it goes through the foll
There are three types of components:
- Components that migrate the operating system settings
-
- Components that migrate application settings
-
- Components that migrate users’ files
The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
@@ -58,8 +51,6 @@ When you run the ScanState tool on the source computer, it goes through the foll
**Note**
From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
-
-
2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
@@ -73,8 +64,6 @@ When you run the ScanState tool on the source computer, it goes through the foll
**Note**
ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
-
-
5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
@@ -82,9 +71,7 @@ When you run the ScanState tool on the source computer, it goes through the foll
**Note**
ScanState does not modify the source computer in any way.
-
-
-## The LoadState Process
+## The LoadState Process
The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
@@ -132,13 +119,10 @@ The LoadState process is very similar to the ScanState process. The ScanState to
**Important**
It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
-
-
5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
## Related topics
-
[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index 76b904d0d7..f883284978 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -1,6 +1,6 @@
---
title: User State Migration Tool (USMT) How-to topics (Windows 10)
-description: User State Migration Tool (USMT) How-to topics
+description: Reference the topics in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index d19e2d5a66..e8c15402b9 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -1,6 +1,6 @@
---
title: Identify File Types, Files, and Folders (Windows 10)
-description: Identify File Types, Files, and Folders
+description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration.
ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index b58c711dbf..f592773c30 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -1,6 +1,6 @@
---
title: Identify Users (Windows 10)
-description: Identify Users
+description: Learn how to identify users you plan to migrate, as well as how to migrate local accounts and domain accounts.
ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 3bbf83959b..2a52999416 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -1,6 +1,6 @@
---
title: LoadState Syntax (Windows 10)
-description: LoadState Syntax
+description: Learn about the syntax and usage of the command-line options available when you use the LoadState command.
ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index d9917d3495..7460f63692 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -1,6 +1,6 @@
---
title: Log Files (Windows 10)
-description: Log Files
+description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations.
ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 7b4c6e95c6..17fe9cfc7d 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -1,6 +1,6 @@
---
title: Migrate EFS Files and Certificates (Windows 10)
-description: Migrate EFS Files and Certificates
+description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders.
ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index c697169088..330d9984b5 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -1,6 +1,6 @@
---
title: Migrate User Accounts (Windows 10)
-description: Migrate User Accounts
+description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line.
ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 4dfd12bcc1..5ec6da19d3 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,6 +1,6 @@
---
title: User State Migration Tool (USMT) Overview (Windows 10)
-description: User State Migration Tool (USMT) Overview
+description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 0371e15cdc..7ea0c4d341 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -1,6 +1,6 @@
---
title: Plan Your Migration (Windows 10)
-description: Plan Your Migration
+description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure.
ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 0b9ce17b6e..dfb923bbd4 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,6 +1,6 @@
---
title: Recognized Environment Variables (Windows 10)
-description: Recognized Environment Variables
+description: Learn how to use environment variables to identify folders that may be different on different computers.
ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index a95bb1e788..7e00f19577 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -1,6 +1,6 @@
---
title: User State Migration Toolkit (USMT) Reference (Windows 10)
-description: User State Migration Toolkit (USMT) Reference
+description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites.
ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index 22f64e513e..facc5fef91 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -1,6 +1,6 @@
---
title: Reroute Files and Settings (Windows 10)
-description: Reroute Files and Settings
+description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines to reroute files and settings.
ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 2925570b27..4866b61aaf 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -1,6 +1,6 @@
---
title: USMT Resources (Windows 10)
-description: USMT Resources
+description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums.
ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md
index b019994baa..ba8e6da7c1 100644
--- a/windows/deployment/usmt/usmt-return-codes.md
+++ b/windows/deployment/usmt/usmt-return-codes.md
@@ -1,6 +1,6 @@
---
title: Return Codes (Windows 10)
-description: Return Codes
+description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps.
ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 7214707bfe..2a306d9af5 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -1,6 +1,6 @@
---
title: ScanState Syntax (Windows 10)
-description: ScanState Syntax
+description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 183f7bc16e..564ab2c53c 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -1,6 +1,6 @@
---
title: Test Your Migration (Windows 10)
-description: Test Your Migration
+description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization.
ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index c237c8528c..2e73d33887 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -1,6 +1,6 @@
---
title: User State Migration Tool (USMT) Overview Topics (Windows 10)
-description: User State Migration Tool (USMT) Overview Topics
+description: Learn about User State Migration Tool (USMT) overview topics that describe USMT as a highly customizable user-profile migration experience for IT professionals.
ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 78a8e200ce..1c629df5ec 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
-description: User State Migration Tool (USMT) Troubleshooting
+description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to assist in troubleshooting.
ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 6973daa26a..d87666c8b6 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -1,6 +1,6 @@
---
title: UsmtUtils Syntax (Windows 10)
-description: UsmtUtils Syntax
+description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface.
ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index b3e8cae84e..2152530861 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -1,6 +1,6 @@
---
title: What does USMT migrate (Windows 10)
-description: What does USMT migrate
+description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language.
ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index bfbd4e2c61..c05b8c1535 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -1,6 +1,6 @@
---
title: XML Elements Library (Windows 10)
-description: XML Elements Library
+description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT).
ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index ba0467192f..ec943180e6 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -1,6 +1,6 @@
---
title: USMT XML Reference (Windows 10)
-description: Work with and customize the migration XML files using USMT XML Reference for Windows 10.
+description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10.
ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index aeae8b54ae..f5afeaa069 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -1,6 +1,6 @@
---
title: XML File Requirements (Windows 10)
-description: XML File Requirements
+description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration urlid.
ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index b13ffc7af8..5b4f53e98a 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -5,7 +5,7 @@ manager: laurawi
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
-description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
+description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index cd12f07346..5e20b62132 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -1,6 +1,6 @@
---
title: Activate by Proxy an Active Directory Forest (Windows 10)
-description: Activate by Proxy an Active Directory Forest
+description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index b55db69a98..007c3a0ae3 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -1,6 +1,6 @@
---
title: Activate an Active Directory Forest Online (Windows 10)
-description: Activate an Active Directory Forest Online
+description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index f2d59868c4..124078e760 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -4,7 +4,7 @@ ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
ms.reviewer:
manager: laurawi
ms.author: greglin
-description:
+description: How to activate using Key Management Service in Windows 10.
keywords: vamt, volume activation, activation, windows activation
ms.prod: w10
ms.mktglfcycl: deploy
@@ -45,14 +45,16 @@ Installing a KMS host key on a computer running Windows 10 allows you to activa
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
-**Configure KMS in Windows 10**
+**Configure KMS in Windows 10**
-To activate by using the telephone, use the slmgr.vbs script.
-
-1. Run **slmgr.vbs /dti** and confirm the installation ID.
-2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
-3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
-4. Run **slmgr.vbs /atp \**.
+To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
+- To install the KMS key, type `slmgr.vbs /ipk `.
+- To activate online, type `slmgr.vbs/ato`.
+- To activate by telephone , follow these steps:
+ 1. Run `slmgr.vbs /dti` and confirm the installation ID.
+ 2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+ 3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+ 4. Run `slmgr.vbs /atp \`.
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index bc02aaba30..fe607d6482 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -1,6 +1,6 @@
---
title: Add and Manage Products (Windows 10)
-description: Add and manage computers with the Volume Activation Management Tool (VAMT).
+description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index 51152d7b78..dc8aedf5f2 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -1,6 +1,6 @@
---
title: Add and Remove a Product Key (Windows 10)
-description: Add and Remove a Product Key
+description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 08cca37792..f4e102124a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -1,6 +1,6 @@
---
title: Configure Client Computers (Windows 10)
-description: Configure Client Computers
+description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index d0b685c936..502813e80e 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -1,6 +1,6 @@
---
title: Import and Export VAMT Data (Windows 10)
-description: Import and Export VAMT Data
+description: Learn how to use the Volume Activation Management Tool (VAMT) to import product-activation data from a .cilx or .cil file into SQL Server.
ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index 5524910ada..f4cff8a4da 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -1,6 +1,6 @@
---
title: Install and Configure VAMT (Windows 10)
-description: Install and Configure VAMT
+description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 31d97d082e..c0458d4963 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -1,6 +1,6 @@
---
title: Install a KMS Client Key (Windows 10)
-description: Install a KMS Client Key
+description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 4726fc4429..d83feb6226 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -1,6 +1,6 @@
---
title: Install a Product Key (Windows 10)
-description: Install a Product Key
+description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 27951497ec..6b18acd8ae 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,6 +1,6 @@
---
title: Install VAMT (Windows 10)
-description: Install VAMT
+description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index f03b9eea97..5152af65fe 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -1,6 +1,6 @@
---
title: Introduction to VAMT (Windows 10)
-description: Introduction to VAMT
+description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 1f0fba1201..e1e2f2151e 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -1,6 +1,6 @@
---
title: Manage Activations (Windows 10)
-description: Manage Activations
+description: Learn how to manage activations and how to activate a client computer by using a variety of activation methods.
ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index f127b566ab..1eb0380671 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -1,6 +1,6 @@
---
title: Manage Product Keys (Windows 10)
-description: Manage Product Keys
+description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index aeb0f2ba2f..6f2f8b2dd0 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -1,6 +1,6 @@
---
title: Manage VAMT Data (Windows 10)
-description: Manage VAMT Data
+description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 20a2b3b6c8..96d0e8abdd 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -1,6 +1,6 @@
---
title: Perform Online Activation (Windows 10)
-description: Perform Online Activation
+description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 52fa995e65..ce8b8c1e39 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -1,6 +1,6 @@
---
title: Remove Products (Windows 10)
-description: Remove Products
+description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 2130befc33..400b2ad2e1 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -1,6 +1,6 @@
---
title: Scenario 3 KMS Client Activation (Windows 10)
-description: Scenario 3 KMS Client Activation
+description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 3c52c27790..f46556cdae 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -1,6 +1,6 @@
---
title: Scenario 2 Proxy Activation (Windows 10)
-description: Scenario 2 Proxy Activation
+description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index b223b876bd..1e3cd0e815 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -1,6 +1,6 @@
---
title: Update Product Status (Windows 10)
-description: Update Product Status
+description: Learn how to use the Update license status function to add the products that are installed on the computers.
ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 092f297bb9..7389bcd273 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -1,6 +1,6 @@
---
title: Use VAMT in Windows PowerShell (Windows 10)
-description: Use VAMT in Windows PowerShell
+description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index 3b555d3b7f..2ee3dbbb3d 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -1,6 +1,6 @@
---
title: VAMT Requirements (Windows 10)
-description: VAMT Requirements
+description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index a2e5f633c5..ef45dc1c96 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -1,6 +1,6 @@
---
title: VAMT Step-by-Step Scenarios (Windows 10)
-description: VAMT Step-by-Step Scenarios
+description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 3b2e91c7cd..2321163bd1 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,6 +1,6 @@
---
title: Windows 10 deployment tools reference
-description: Learn about the tools available to deploy Windows 10.
+description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT).
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index f4ab49b62a..6b3110a329 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -22,7 +22,12 @@ ms.topic: article
- Windows 10
-This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
+This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources.
+
+> [!NOTE]
+> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab).
+
+This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -144,7 +149,7 @@ Hardware requirements are displayed below:
The lab architecture is summarized in the following diagram:
-
+
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -218,7 +223,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
@@ -443,7 +448,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -476,7 +481,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -500,7 +505,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -815,7 +820,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- 
+ 
>If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
@@ -873,7 +878,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
See the following example:
- 
+ 
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 9969fd5ca2..f378372d1d 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -107,7 +107,7 @@ The following table lists management options for each setting, beginning with Wi
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
-| [28. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
| [29. Windows Update](#bkmk-wu) | |  |  |
@@ -217,7 +217,7 @@ See the following table for a summary of the management settings for Windows Ser
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
-| [28. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
| [29. Windows Update](#bkmk-wu) | |  |  |
## How to configure each setting
@@ -415,7 +415,7 @@ To turn off Insider Preview builds for Windows 10:
### 8. Internet Explorer
> [!NOTE]
->When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/en-us/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
+>When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -1560,7 +1560,7 @@ To turn off Messaging cloud sync:
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx).
>[!NOTE]
->If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
+>If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
@@ -1664,7 +1664,7 @@ You can turn off **Enhanced Notifications** as follows:
### 24.1 Windows Defender SmartScreen
-To disable Windows Defender Smartscreen:
+To disable Windows Defender SmartScreen:
In Group Policy, configure:
@@ -1809,19 +1809,19 @@ You can turn off apps for websites, preventing customers who visit websites that
- Create a new REG_DWORD registry setting named **EnableAppUriHandlers** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
-### 28. Windows Update Delivery Optimization
+### 28. Delivery Optimization
-Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
-By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
-In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Bypass** (99), as described below.
+In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
### 28.1 Settings > Update & security
-You can set up Delivery Optimization from the **Settings** UI.
+You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
@@ -1837,9 +1837,12 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+
### 28.3 Delivery Optimization
-- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Bypass"** to prevent traffic.
+- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service.
-or-
@@ -1848,6 +1851,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
+For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates]
+(https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization).
+
### 29. Windows Update
You can turn off Windows Update by setting the following registry entries:
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 92f03d2111..ba34b2d47b 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -96,6 +96,7 @@ The following methodology was used to derive these network endpoints:
|||TLS v1.2|*g.live.com|
|||HTTPS|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
+|||HTTP| windows.policies.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLS v1.2|settings-win.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
@@ -117,6 +118,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com|
|||HTTPS/TLS v1.2|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS/TLS v1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
## Other Windows 10 editions
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 357c78dd10..9e2a244111 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -12,7 +12,7 @@ ms.author: v-hakima
manager: obezeajo
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 7/22/2020
+ms.date: 08/18/2020
---
# Windows 10, version 1909, connection endpoints for non-Enterprise editions
@@ -83,6 +83,7 @@ The following methodology was used to derive the network endpoints:
|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
|storage.live.com|HTTP/TLS v1.2|OneDrive
|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|dm2302.settings.live.net|HTTP|OneDrive
|slscr.update.microsoft.com|HTTPS/TLS V1.2|Windows Update
|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP|This endpoint is used for content regulation
@@ -98,7 +99,7 @@ The following methodology was used to derive the network endpoints:
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
-|api.onedrive.com|HTTP|One Drive
+|api.onedrive.com|HTTP|OneDrive
|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
|nav.smartscreen.microsoft.com|HTTPS/TLS v1.2|Windows Defender
|*.update.microsoft.com|HTTP|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
@@ -151,8 +152,9 @@ The following methodology was used to derive the network endpoints:
|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
|outlook.office365.com|HTTP|Microsoft Office
-|storage.live.com|HTTP/TLS v1.2|One Drive
-|skydrivesync.policies.live.net|TLS v1.2|One Drive
+|storage.live.com|HTTP/TLS v1.2|OneDrive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|windows.policies.live.net|HTTP|OneDrive
## Windows 10 Education
@@ -166,7 +168,7 @@ The following methodology was used to derive the network endpoints:
|dmd.metaservices.microsoft.com|HTTP|Device metadata
|Inference.location.live.net|TLS v1.2|Location
|oneclient.sfx.ms|HTTPS|OneDrive
-|storage.live.com|HTTP/TLS v1.2|One Drive
+|storage.live.com|HTTP/TLS v1.2|OneDrive
|skydrivesync.policies.live.net|TLS v1.2|OneDrive
|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index dabc7f749b..2ae163cea6 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings
Account is trusted for delegation |
-Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously. |
+Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously. |
Account is sensitive and cannot be delegated |
@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
Use DES encryption types for this account |
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
- NoteDES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
+ NoteDES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
@@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
- Windows Update Setting |
- Configuration |
+ Windows Update Setting |
+ Configuration |
Allow Automatic Updates immediate installation |
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index 1ef5a24b40..3ad985610a 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -1,6 +1,6 @@
---
title: Dynamic Access Control Overview (Windows 10)
-description: Dynamic Access Control Overview
+description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 7e7c2236cd..56e4f2edf2 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t
-No. |
-Setting |
-Detailed Description |
+No. |
+Setting |
+Detailed Description |
|
@@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t
3 |
Registry key |
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
|
@@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ
-No. |
-Setting |
-Detailed Description |
+No. |
+Setting |
+Detailed Description |
|
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b4bbe78a9d..0ff8876a89 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -27,7 +27,7 @@ ms.custom:
## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@@ -36,9 +36,13 @@ The same set of procedures used to enable Windows Defender Credential Guard on p
You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
+
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
@@ -49,8 +53,10 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Windows Defender Credential Guard by using Intune
-1. From **Home** click **Microsoft Intune**
-2. Click **Device configuration**
+1. From **Home**, click **Microsoft Intune**.
+
+2. Click **Device configuration**.
+
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
@@ -66,6 +72,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+
> [!NOTE]
> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
@@ -73,22 +80,31 @@ You can do this by using either the Control Panel or the Deployment Image Servic
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
+
2. Click **Turn Windows feature on or off**.
+
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+
4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+
5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt.
+
2. Add the Hyper-V Hypervisor by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+
3. Add the Isolated User Mode feature by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
```
+
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
@@ -100,11 +116,13 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open Registry Editor.
2. Enable virtualization-based security:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
@@ -120,9 +138,10 @@ You can do this by using either the Control Panel or the Deployment Image Servic
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -134,7 +153,9 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+
2. Click **System Summary**.
+
3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
Here's an example:
@@ -143,9 +164,10 @@ You can view System Information to check that Windows Defender Credential Guard
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Ready
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -165,7 +187,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command:
+ - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
```powershell
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
@@ -195,7 +217,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
- ``` syntax
+ ```console
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
@@ -232,9 +254,10 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -243,7 +266,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
From the host, you can disable Windows Defender Credential Guard for a virtual machine:
-``` PowerShell
+```powershell
Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 7f5c4ffe62..25d125585e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
@@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are
| Protections for Improved Security | Description | Security Benefits
|---|---|---|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index ae96f09ed1..e609c9469d 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -657,7 +657,7 @@ function PrintHardwareReq
{
LogAndConsole "###########################################################################"
LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard"
- LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home"
+ LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT"
LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT"
LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr"
LogAndConsole "########################################################################### `n"
@@ -735,7 +735,7 @@ function CheckOSSKU
$osname = $((gwmi win32_operatingsystem).Name).ToLower()
$_SKUSupported = 0
Log "OSNAME:$osname"
- $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
+ $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server")
$HLKAllowed = @("microsoft windows 10 pro")
foreach ($SKUent in $SKUarray)
{
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 4579829e90..7cf7eeccbf 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -1,6 +1,6 @@
---
title: WebAuthn APIs
-description: Enabling password-less authentication for your sites and apps
+description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 916d1cf629..215c86beea 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,6 +1,6 @@
---
title: Multifactor Unlock
-description: Multifactor Unlock
+description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 7189408b7b..13c1e99b51 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Deployment Guide
-description: A guide to Windows Hello for Business deployment
+description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index fca4b7eaa6..babc49afc3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Frequently Asked Questions
-description: Windows Hello for Business FAQ
+description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 015331499c..0a52de0945 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,6 +1,6 @@
---
title: Dual Enrollment
-description: Dual Enrollment
+description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 33a9c450e1..f6a0ebc776 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,6 +1,6 @@
---
title: Pin Reset
-description: Pin Reset
+description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: w10
ms.mktglfcycl: deploy
@@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
+1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 981587e970..e1cf05225a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
---
title: Remote Desktop
-description: Remote Desktop
+description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index d9832ef853..d35d4dea64 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Features
-description: Windows Hello for Business Features
+description: Consider additional features you can use after your organization deploys Windows Hello for Business.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index f220db21f6..0fb161ccb5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -17,7 +17,7 @@ ms.reviewer:
---
# Windows Hello for Business Provisioning
-Applies to:
+Applies to:
- Windows 10
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index ae11903279..8df0ef33bb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -187,7 +187,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
+4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
@@ -225,7 +225,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
Validate your new CRL distribution point is working.
-1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
+1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
### Reissue domain controller certificates
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index c2550cdfa7..e5664fdeb0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Trust New Installation (Windows Hello for Business)
-description: Windows Hello for Business Hybrid baseline deployment
+description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index ea04aadb72..2857501f75 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,6 +1,6 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
-description: Hybrid Certificate Trust Deployment Overview
+description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 9d05788513..c9ea9e18f9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business)
-description: Provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
+description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 7c4e019e6d..8a785dcf5f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -46,13 +46,22 @@ By default, the Active Directory Certificate Authority provides and publishes th
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
8. Close the console.
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
@@ -66,13 +75,21 @@ The auto-enrollment feature in Windows enables you to effortlessly replace these
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+
4. Click the **Superseded Templates** tab. Click **Add**.
+
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
+
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@@ -95,33 +112,54 @@ Approximately 60 days prior to enrollment agent certificate's expiration, the AD
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority Management** console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
- **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+
+ > [!NOTE]
+ > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**.
+
9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
+
10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
12. Close the console.
-#### Creating an Enrollment Agent certificate for typical Service Acconts
+#### Creating an Enrollment Agent certificate for typical Service Accounts
Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
+
9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
10. Close the console.
### Creating Windows Hello for Business authentication certificate template
@@ -131,28 +169,68 @@ During Windows Hello for Business provisioning, the Windows 10, version 1703 cli
Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
+5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box.
- * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
+ Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
10. On the **Request Handling** tab, select the **Renew with same key** check box.
+
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
+
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
+
14. Click on the **Apply** to save changes and close the console.
#### Mark the template as the Windows Hello Sign-in template
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+
1. Open an elevated command prompt.
+
2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
+
+```console
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE< [!NOTE]
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
@@ -165,11 +243,17 @@ The certificate authority may only issue certificates for certificate templates
#### Publish Certificate Templates to the Certificate Authority
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. Close the console.
@@ -182,9 +266,13 @@ The newly created domain controller authentication certificate template supersed
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
@@ -214,4 +302,3 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: PKI (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index fba1fd76f8..2f6f72752a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
-description: Configuring Windows Hello for Business settings in hybrid certificate trust deployment.
+description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 3cb290695f..51e6922080 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Key Trust New Installation
-description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
+description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 5a7e9bb20a..fa3b1d7a97 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
-description: Prerequisites for hybrid Windows Hello for Business deployments using key trust.
+description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 1f4f6b976d..63743f3ea2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
-description: Hybrid Key Trust Deployment Overview
+description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 85992e20d5..73e002c7c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business)
-description: Provisioning for hybrid key trust deployments of Windows Hello for Business.
+description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,7 +27,7 @@ ms.reviewer:
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-
+
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index d8eb2ac3ed..9103431811 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business key trust Settings
-description: Configuring Windows Hello for Business settings in hybrid key trust deployment.
+description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 6a70672f7a..5d10205e13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business Overview (Windows 10)
ms.reviewer: An overview of Windows Hello for Business
-description: An overview of Windows Hello for Business
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index c3acaa98e3..3fff407e34 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,6 +1,6 @@
---
title: Planning a Windows Hello for Business Deployment
-description: A guide to planning a Windows Hello for Business deployment
+description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 00eddf6eee..c53586ff18 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Videos
-description: Windows Hello for Business Videos
+description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/images/event358-2.png b/windows/security/identity-protection/hello-for-business/images/event358-2.png
new file mode 100644
index 0000000000..53fd554323
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/event358-2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 57238c3214..dd1b6b18e0 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -1,6 +1,6 @@
---
title: Passwordless Strategy
-description: Reducing Password Usage Surface
+description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 4e95da0531..373339ebcd 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
| **Helps prevent** | N/A | - Pass-the-Hash
- Use of a credential after disconnection
| - Pass-the-Hash
- Use of domain identity during connection
|
-| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
+| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. |
| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 4a92507705..560f4b240c 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -270,7 +270,7 @@ To better understand each component, review the table below:
-The slider will never turn UAC completely off. If you set it to Never notify, it will:
+The slider will never turn UAC completely off. If you set it to Never notify, it will:
- Keep the UAC service running.
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 22355b9383..6b9868b0f0 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,6 +1,6 @@
---
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
-description: Explains how to secure VPN connections for Diffie Hellman Group 2
+description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 9f6f6fa2a5..3fe2c08d57 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -1,6 +1,6 @@
---
title: VPN authentication options (Windows 10)
-description: tbd
+description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 09ca26d20e..29c8f5e474 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -1,6 +1,6 @@
---
title: VPN auto-triggered profile options (Windows 10)
-description: tbd
+description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -61,13 +61,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers.
-Preserving user Always On preference
+## Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
-Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
-Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
-Value: AutoTriggerDisabledProfilesList
-Type: REG_MULTI_SZ
+Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**.
+
+Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference.
+
+**Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+**Value:** AutoTriggerDisabledProfilesList
+**Type:** REG_MULTI_SZ
## Trusted network detection
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index c72139b6db..cb543ad1cd 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -1,6 +1,6 @@
---
title: Windows 10 VPN technical guide (Windows 10)
-description: Use this guide to configure VPN deployment for Windows 10.
+description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 5c277ef964..6ff26370e3 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -1,6 +1,6 @@
---
title: VPN name resolution (Windows 10)
-description: tbd
+description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index c8ce525e53..416bc57d04 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -1,6 +1,6 @@
---
title: VPN routing decisions (Windows 10)
-description: tbd
+description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 0ac0b47d38..d8f4768540 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -1,6 +1,6 @@
---
title: VPN security features (Windows 10)
-description: tbd
+description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index 77709b6ef2..7dd0eb0898 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BCD settings and BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 65e915649a..d6bad09f03 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker and Active Directory Domain Services (AD DS) FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 96fc9bd8c2..1167e9121a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker basic deployment
@@ -252,11 +253,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-Name |
-Parameters |
+Name |
+Parameters |
-Add-BitLockerKeyProtector |
+Add-BitLockerKeyProtector |
-ADAccountOrGroup
-ADAccountOrGroupProtector
-Confirm
@@ -278,26 +279,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-WhatIf |
-Backup-BitLockerKeyProtector |
+Backup-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Disable-BitLocker |
+Disable-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Disable-BitLockerAutoUnlock |
+Disable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Enable-BitLocker |
+Enable-BitLocker |
-AdAccountOrGroup
-AdAccountOrGroupProtector
-Confirm
@@ -322,44 +323,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-WhatIf |
-Enable-BitLockerAutoUnlock |
+Enable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Get-BitLockerVolume |
+Get-BitLockerVolume |
-MountPoint |
-Lock-BitLocker |
+Lock-BitLocker |
-Confirm
-ForceDismount
-MountPoint
-WhatIf |
-Remove-BitLockerKeyProtector |
+Remove-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Resume-BitLocker |
+Resume-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Suspend-BitLocker |
+Suspend-BitLocker |
-Confirm
-MountPoint
-RebootCount
-WhatIf |
-Unlock-BitLocker |
+Unlock-BitLocker |
-AdAccountOrGroup
-Confirm
-MountPoint
@@ -374,7 +375,7 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
> **Note:** In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index ab57ef7b30..6de06c740a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Countermeasures
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index f8fa65855e..ea8ab3bf7a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker frequently asked questions (FAQ)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 7560239ff8..34008453ad 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# Overview of BitLocker Device Encryption in Windows 10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
index 3c5449bfe9..3679c9fde7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
@@ -15,9 +15,10 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
-# BitLocker frequently asked questions (FAQ)
+# BitLocker frequently asked questions (FAQ) resources
**Applies to**
- Windows 10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 436ef15fe7..8b7918f1f7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/17/2019
+ms.custom: bitlocker
---
# BitLocker Group Policy settings
@@ -106,39 +107,39 @@ This policy setting allows users on devices that are compliant with Modern Stand
|
-Policy description |
+Policy description |
With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices. |
-Introduced |
+Introduced |
Windows 10, version 1703 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.
|
-When enabled |
+When enabled |
Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication. |
-When disabled or not configured |
+When disabled or not configured |
The options of the Require additional authentication at startup policy apply. |
- Reference
+ Reference
The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby.
But visually impaired users have no audible way to know when to enter a PIN.
@@ -156,37 +157,37 @@ This policy is used in addition to the BitLocker Drive Encryption Network Unlock
-Policy description |
+Policy description |
With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors. |
-When disabled or not configured |
+When disabled or not configured |
Clients cannot create and use Network Key Protectors |
- Reference
+ Reference
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.
@@ -205,39 +206,39 @@ This policy setting is used to control which unlock options are available for op
-Policy description |
+Policy description |
With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
If one authentication method is required, the other methods cannot be allowed.
-Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. |
+Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When enabled |
+When enabled |
Users can configure advanced startup options in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
Users can configure only basic options on computers with a TPM.
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs. |
- Reference
+ Reference
If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
@@ -282,31 +283,31 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
-Policy description |
+Policy description |
With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected. |
-When disabled or not configured |
+When disabled or not configured |
Enhanced PINs will not be used. |
@@ -330,37 +331,37 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
-Policy description |
+Policy description |
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits. |
-When disabled or not configured |
+When disabled or not configured |
Users can configure a startup PIN of any length between 6 and 20 digits. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
@@ -413,31 +414,31 @@ This policy setting allows you to configure whether standard users are allowed t
-Policy description |
+Policy description |
With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Standard users are not allowed to change BitLocker PINs or passwords. |
-When disabled or not configured |
+When disabled or not configured |
Standard users are permitted to change BitLocker PINs or passwords. |
@@ -459,37 +460,37 @@ This policy controls how non-TPM based systems utilize the password protector. U
-Policy description |
+Policy description |
With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
Passwords cannot be used if FIPS-compliance is enabled.
- NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
+ NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
|
-When enabled |
-Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
+When enabled |
+Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
-When disabled or not configured |
+When disabled or not configured |
The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. |
@@ -522,37 +523,37 @@ This policy setting is used to control what unlock options are available for com
-Policy description |
+Policy description |
With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives (Windows Server 2008 and Windows Vista) |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
If you choose to require an additional authentication method, other authentication methods cannot be allowed. |
-When enabled |
+When enabled |
The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured. |
- Reference
+ Reference
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
@@ -586,41 +587,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
-Policy description |
+Policy description |
With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
+Conflicts |
+To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
+When enabled |
+Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
-When disabled |
+When disabled |
Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives. |
-When not configured |
+When not configured |
Smart cards can be used to authenticate user access to a BitLocker-protected drive. |
- Reference
+ Reference
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
@@ -635,41 +636,41 @@ This policy setting is used to require, allow, or deny the use of passwords with
-Policy description |
+Policy description |
With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
-To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
+Conflicts |
+To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
-When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
+When enabled |
+Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
-When disabled |
+When disabled |
The user is not allowed to use a password. |
-When not configured |
+When not configured |
Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
- Reference
+ Reference
When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
@@ -699,41 +700,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
-Policy description |
+Policy description |
With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
+Conflicts |
+To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
+When enabled |
+Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
-When disabled or not configured |
+When disabled or not configured |
Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives. |
-When not configured |
+When not configured |
Smart cards are available to authenticate user access to a BitLocker-protected removable data drive. |
- Reference
+ Reference
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
@@ -748,41 +749,41 @@ This policy setting is used to require, allow, or deny the use of passwords with
-Policy description |
+Policy description |
With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
-To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
+Conflicts |
+To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
-When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
+When enabled |
+Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
-When disabled |
+When disabled |
The user is not allowed to use a password. |
-When not configured |
+When not configured |
Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
- Reference
+ Reference
If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
@@ -812,37 +813,37 @@ This policy setting is used to determine what certificate to use with BitLocker.
-Policy description |
+Policy description |
With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed and removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
-The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
+When enabled |
+The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
-When disabled or not configured |
+When disabled or not configured |
The default object identifier is used. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -863,37 +864,37 @@ This policy setting allows users to enable authentication options that require u
-Policy description |
+Policy description |
With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Devices must have an alternative means of preboot input (such as an attached USB keyboard). |
-When disabled or not configured |
+When disabled or not configured |
The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. |
- Reference
+ Reference
The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
@@ -918,37 +919,37 @@ This policy setting is used to require encryption of fixed drives prior to grant
-Policy description |
+Policy description |
With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
See the Reference section for a description of conflicts. |
-When enabled |
+When enabled |
All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-When disabled or not configured |
+When disabled or not configured |
All fixed data drives on the computer are mounted with Read and Write access. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -973,37 +974,37 @@ This policy setting is used to require that removable drives are encrypted prior
-Policy description |
+Policy description |
With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
See the Reference section for a description of conflicts. |
-When enabled |
+When enabled |
All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-When disabled or not configured |
+When disabled or not configured |
All removable data drives on the computer are mounted with Read and Write access. |
- Reference
+ Reference
If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
@@ -1026,41 +1027,41 @@ This policy setting is used to prevent users from turning BitLocker on or off on
-Policy description |
+Policy description |
With this policy setting, you can control the use of BitLocker on removable data drives. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can select property settings that control how users can configure BitLocker. |
-When disabled |
+When disabled |
Users cannot use BitLocker on removable data drives. |
-When not configured |
+When not configured |
Users can use BitLocker on removable data drives. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -1082,37 +1083,37 @@ This policy setting is used to control the encryption method and cipher strength
-Policy description |
+Policy description |
With this policy setting, you can control the encryption method and strength for drives. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. |
-When disabled or not configured |
+When disabled or not configured |
Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy. |
- Reference
+ Reference
The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
@@ -1138,42 +1139,42 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
-Policy description |
+Policy description |
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-When disabled |
+When disabled |
BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-When not configured |
+When not configured |
BitLocker software-based encryption is used irrespective of hardware-based encryption ability.
|
- Reference
+ Reference
>**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
@@ -1193,41 +1194,41 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
-Policy description |
+Policy description |
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-When disabled |
+When disabled |
BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-When not configured |
+When not configured |
BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
- Reference
+ Reference
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
@@ -1249,41 +1250,41 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
-Policy description |
+Policy description |
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Removable data drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-When disabled |
+When disabled |
BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-When not configured |
+When not configured |
BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
- Reference
+ Reference
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
@@ -1305,37 +1306,37 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
-Policy description |
+Policy description |
With this policy setting, you can configure the encryption type that is used by BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Fixed data drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@@ -1354,37 +1355,37 @@ This policy controls whether operating system drives utilize Full encryption or
-Policy description |
+Policy description |
With this policy setting, you can configure the encryption type that is used by BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@@ -1403,37 +1404,37 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
-Policy description |
+Policy description |
With this policy setting, you can configure the encryption type that is used by BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Removable data drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@@ -1452,38 +1453,38 @@ This policy setting is used to configure recovery methods for operating system d
-Policy description |
+Policy description |
With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
+Conflicts |
+You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
+When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
-When enabled |
+When enabled |
You can control the methods that are available to users to recover data from BitLocker-protected operating system drives. |
-When disabled or not configured |
+When disabled or not configured |
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -1513,37 +1514,37 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
-Policy description |
+Policy description |
With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
-This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
+Conflicts |
+This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
-When enabled |
+When enabled |
You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard presents users with ways to store recovery options. |
- Reference
+ Reference
This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
@@ -1567,37 +1568,37 @@ This policy setting is used to configure the storage of BitLocker recovery infor
-Policy description |
+Policy description |
With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista. |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. |
-When disabled or not configured |
+When disabled or not configured |
BitLocker recovery information is not backed up to AD DS. |
- Reference
+ Reference
This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
@@ -1625,37 +1626,37 @@ This policy setting is used to configure the default folder for recovery passwor
-Policy description |
+Policy description |
With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password. |
-Introduced |
+Introduced |
Windows Vista |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -1672,38 +1673,38 @@ This policy setting is used to configure recovery methods for fixed data drives.
-Policy description |
+Policy description |
With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
+Conflicts |
+You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
+When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-When enabled |
+When enabled |
You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives. |
-When disabled or not configured |
+When disabled or not configured |
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -1733,38 +1734,38 @@ This policy setting is used to configure recovery methods for removable data dri
-Policy description |
+Policy description |
With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
+Conflicts |
+You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
+When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-When enabled |
+When enabled |
You can control the methods that are available to users to recover data from BitLocker-protected removable data drives. |
-When disabled or not configured |
+When disabled or not configured |
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker.
@@ -1791,37 +1792,37 @@ This policy setting is used to configure the entire recovery message and to repl
-Policy description |
+Policy description |
With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL. |
-Introduced |
+Introduced |
Windows 10 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL |
-Conflicts |
+Conflicts |
None |
-When enabled |
-The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
+When enabled |
+The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
-When disabled or not configured |
+When disabled or not configured |
If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message. |
- Reference
+ Reference
Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
@@ -1846,38 +1847,38 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
-Policy description |
+Policy description |
With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
+ | Conflicts |
+If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-When enabled or not configured |
+When enabled or not configured |
BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation. |
-When disabled |
+When disabled |
BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation. |
- Reference
+ Reference
Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
@@ -1895,37 +1896,37 @@ This policy setting is used to establish an identifier that is applied to all dr
-Policy description |
+Policy description |
With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer. |
-When enabled |
+When enabled |
You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. |
-When disabled or not configured |
+When disabled or not configured |
The identification field is not required. |
- Reference
+ Reference
These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
@@ -1952,37 +1953,37 @@ This policy setting is used to control whether the computer's memory will be ove
-Policy description |
+Policy description |
With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets. |
-Introduced |
+Introduced |
Windows Vista |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets. |
-When disabled or not configured |
+When disabled or not configured |
BitLocker secrets are removed from memory when the computer restarts. |
- Reference
+ Reference
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
@@ -1997,37 +1998,37 @@ This policy setting determines what values the TPM measures when it validates ea
-Policy description |
+Policy description |
With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-When disabled or not configured |
+When disabled or not configured |
The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
- Reference
+ Reference
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
@@ -2072,37 +2073,37 @@ This policy setting determines what values the TPM measures when it validates ea
-Policy description |
+Policy description |
With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-When disabled or not configured |
+When disabled or not configured |
The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
- Reference
+ Reference
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
@@ -2147,39 +2148,39 @@ This policy setting determines what values the TPM measures when it validates ea
-Policy description |
+Policy description |
With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
+ | Conflicts |
+Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-When enabled |
+When enabled |
Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-When disabled or not configured |
+When disabled or not configured |
BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
- Reference
+ Reference
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
@@ -2222,41 +2223,41 @@ This policy setting determines if you want platform validation data to refresh w
-Policy description |
+Policy description |
With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-When disabled |
+When disabled |
Platform validation data is not refreshed when Windows is started following a BitLocker recovery. |
-When not configured |
+When not configured |
Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
- Reference
+ Reference
For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
@@ -2271,41 +2272,41 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
-Policy description |
+Policy description |
With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
+Conflicts |
+When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
-When enabled |
+When enabled |
You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings. |
-When disabled |
+When disabled |
The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7. |
-When not configured |
+When not configured |
The computer verifies the default BCD settings in Windows. |
- Reference
+ Reference
>**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
@@ -2320,37 +2321,37 @@ This policy setting is used to control whether access to drives is allowed by us
-Policy description |
+Policy description |
With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2). |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled and When not configured |
+When enabled and When not configured |
Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-When disabled |
+When disabled |
Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
- Reference
+ Reference
>**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
@@ -2367,37 +2368,37 @@ This policy setting controls access to removable data drives that are using the
-Policy description |
+Policy description |
With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled and When not configured |
+When enabled and When not configured |
Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-When disabled |
+When disabled |
Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
- Reference
+ Reference
>**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
@@ -2414,37 +2415,37 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
-Policy description |
+Policy description |
Notes |
-Introduced |
+Introduced |
Windows Server 2003 with SP1 |
-Drive type |
+Drive type |
System-wide |
-Policy path |
-Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
+Policy path |
+Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
-Conflicts |
+Conflicts |
Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems. |
-When enabled |
+When enabled |
Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password. |
-When disabled or not configured |
+When disabled or not configured |
No BitLocker encryption key is generated |
- Reference
+ Reference
This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 121b0d3e49..4ba7629cc0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: How to deploy on Windows Server 2012 and later
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index a7a7e7fce7..d8cb2c79de 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: How to enable Network Unlock
@@ -367,7 +368,7 @@ The following steps can be used to configure Network Unlock on these older syste
6. Configure registry settings for Network Unlock:
Apply the registry settings by running the following certutil script (assuming your network unlock certificate file is called **BitLocker-NetworkUnlock.cer**) on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
-
+```console
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
@@ -376,6 +377,7 @@ The following steps can be used to configure Network Unlock on these older syste
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
+```
7. Set up a TPM protector on the clients
8. Reboot the clients to add the Network (Certificate Based) protector
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
index 226acb2e7c..d7338589c5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Key Management FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 2314ea2eaf..78eb7b7715 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -1,6 +1,6 @@
---
title: BitLocker Management Recommendations for Enterprises (Windows 10)
-description: This topic explains recommendations for managing BitLocker.
+description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# BitLocker Management for Enterprises
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
index 153be07099..264ee0242a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# BitLocker Network Unlock FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
index aca61b7f1d..7f9715b9c0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Overview and Requirements FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index ebece73d96..131a256f82 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/26/2018
+ms.custom: bitlocker
---
# BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 822f7a9985..943135fa94 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker recovery guide
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index 36decb2b2f..f06b11a197 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -14,6 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/28/2019
+ms.custom: bitlocker
---
# Breaking out of a Bitlocker recovery loop
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 2962d7533b..fb1c2281f8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Security FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index e8bd11f12b..c34ddf46f1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/10/2018
+ms.custom: bitlocker
---
# BitLocker To Go FAQ
@@ -24,7 +25,7 @@ ms.date: 07/10/2018
## What is BitLocker To Go?
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index 7873e99c18..a856063b96 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# BitLocker Upgrading FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index e4e1a3ffcd..bf20c5efdd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
@@ -126,11 +127,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-Name |
-Parameters |
+Name |
+Parameters |
-Add-BitLockerKeyProtector |
+Add-BitLockerKeyProtector |
-ADAccountOrGroup
-ADAccountOrGroupProtector
-Confirm
@@ -152,26 +153,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-WhatIf |
-Backup-BitLockerKeyProtector |
+Backup-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Disable-BitLocker |
+Disable-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Disable-BitLockerAutoUnlock |
+Disable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Enable-BitLocker |
+Enable-BitLocker |
-AdAccountOrGroup
-AdAccountOrGroupProtector
-Confirm
@@ -196,44 +197,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-WhatIf |
-Enable-BitLockerAutoUnlock |
+Enable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Get-BitLockerVolume |
+Get-BitLockerVolume |
-MountPoint |
-Lock-BitLocker |
+Lock-BitLocker |
-Confirm
-ForceDismount
-MountPoint
-WhatIf |
-Remove-BitLockerKeyProtector |
+Remove-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Resume-BitLocker |
+Resume-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Suspend-BitLocker |
+Suspend-BitLocker |
-Confirm
-MountPoint
-RebootCount
-WhatIf |
-Unlock-BitLocker |
+Unlock-BitLocker |
-AdAccountOrGroup
-Confirm
-MountPoint
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 9f41146f0d..1bc4358ba0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: Use BitLocker Recovery Password Viewer
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index 0aebf543c2..ac4286c885 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# Using BitLocker with other programs FAQ
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 72436ef74d..baa25d7cf6 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/24/2019
+ms.custom: bitlocker
---
# Prepare your organization for BitLocker: Planning and policies
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 1473dadc79..ac7c00f8b6 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# Protecting cluster shared volumes and storage area networks with BitLocker
@@ -168,91 +169,91 @@ The following table contains information about both Physical Disk Resources (i.e
|
-Action |
-On owner node of failover volume |
-On Metadata Server (MDS) of CSV |
-On (Data Server) DS of CSV |
-Maintenance Mode |
+Action |
+On owner node of failover volume |
+On Metadata Server (MDS) of CSV |
+On (Data Server) DS of CSV |
+Maintenance Mode |
-Manage-bde –on |
+Manage-bde –on |
Blocked |
Blocked |
Blocked |
Allowed |
-Manage-bde –off |
+Manage-bde –off |
Blocked |
Blocked |
Blocked |
Allowed |
-Manage-bde Pause/Resume |
+Manage-bde Pause/Resume |
Blocked |
-Blocked |
+Blocked |
Blocked |
Allowed |
-Manage-bde –lock |
+Manage-bde –lock |
Blocked |
Blocked |
Blocked |
Allowed |
-manage-bde –wipe |
+manage-bde –wipe |
Blocked |
Blocked |
Blocked |
Allowed |
-Unlock |
+Unlock |
Automatic via cluster service |
Automatic via cluster service |
Automatic via cluster service |
Allowed |
-manage-bde –protector –add |
+manage-bde –protector –add |
Allowed |
Allowed |
Blocked |
Allowed |
-manage-bde -protector -delete |
+manage-bde -protector -delete |
Allowed |
Allowed |
Blocked |
Allowed |
-manage-bde –autounlock |
+manage-bde –autounlock |
Allowed (not recommended) |
Allowed (not recommended) |
Blocked |
Allowed (not recommended) |
-Manage-bde -upgrade |
+Manage-bde -upgrade |
Allowed |
Allowed |
Blocked |
Allowed |
-Shrink |
+Shrink |
Allowed |
Allowed |
Blocked |
Allowed |
-Extend |
+Extend |
Allowed |
Allowed |
Blocked |
@@ -261,7 +262,7 @@ The following table contains information about both Physical Disk Resources (i.e
->Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 88e28e59eb..f4020af299 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# Guidelines for troubleshooting BitLocker
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index 2382b91a2a..03b1c67188 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
index c69bb9ab25..c112d898f7 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@@ -13,8 +13,10 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
+
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
index 346095b34e..e3c4f3f6d4 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# BitLocker configuration: known issues
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index c3e4f16427..3e2cdad741 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# Decode Measured Boot logs to track PCR changes
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 18236c1ddf..895c4eec13 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
# Enforcing BitLocker policies by using Intune: known issues
@@ -205,7 +206,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
1. Verify that the **Secure Boot State** setting is **On**, as follows:
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
- 
+ 
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
index 77216f2dd1..b5882849d0 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -13,7 +13,9 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/7/2019
+ms.custom: bitlocker
---
+
# BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
index a25ea79f8a..b9d677c092 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
# BitLocker recovery: known issues
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
index 553780277a..9e19de9f72 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
# BitLocker and TPM: other known issues
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 6ea046a8f3..2d8554f52b 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -84,11 +84,15 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
-3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
+3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows 10.
+
+>[!NOTE]
+> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES.
+
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 23f23e50da..97733a4dd7 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -53,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you
Name-based policies, using the /*AppCompat*/ string or proxy-based policies |
|
- | Not required. App connects to enterprise cloud resources directly, using an IP address. |
+ Not required. App connects to enterprise cloud resources directly, using an IP address. |
- App is entirely blocked from both personal and enterprise cloud resources.
@@ -70,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you
|
- | Not required. App connects to enterprise cloud resources, using a hostname. |
+ Not required. App connects to enterprise cloud resources, using a hostname. |
- App is blocked from accessing enterprise cloud resources, but can access other network resources.
@@ -80,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you
|
- | Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App can access both personal and enterprise cloud resources.
@@ -90,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you
|
- | Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App can access both personal and enterprise cloud resources.
@@ -110,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your
Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies |
|
- | Not required. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Not required. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App is blocked from accessing enterprise cloud resources, but can access other network resources.
@@ -120,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your
|
- | Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App can access both personal and enterprise cloud resources.
@@ -130,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your
|
- | Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
|
- | Publisher selected |
+ Publisher selected |
All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
- | Publisher and Product Name selected |
+ Publisher and Product Name selected |
All files for the specified product, signed by the named publisher. |
- | Publisher, Product Name, and Binary name selected |
+ Publisher, Product Name, and Binary name selected |
Any version of the named file or package for the specified product, signed by the named publisher. |
- | Publisher, Product Name, Binary name, and File Version, and above, selected |
+ Publisher, Product Name, Binary name, and File Version, and above, selected |
Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
- | Publisher, Product Name, Binary name, and File Version, And below selected |
+ Publisher, Product Name, Binary name, and File Version, And below selected |
Specified version or older releases of the named file or package for the specified product, signed by the named publisher. |
- | Publisher, Product Name, Binary name, and File Version, Exactly selected |
+ Publisher, Product Name, Binary name, and File Version, Exactly selected |
Specified version of the named file or package for the specified product, signed by the named publisher. |
@@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Cloud Resources |
- With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. |
+ With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. |
| Enterprise Network Domain Names (Required) |
@@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter. |
| Enterprise IPv4 Range (Required) |
- Starting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
+ Starting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
| Enterprise IPv6 Range |
- Starting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
+ Starting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index c1f81c4974..73946540c5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -129,7 +129,8 @@ If you don't know the Store app publisher or product name, you can find them by
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
->**Note**
Your PC and phone must be on the same wireless network.
+> [!NOTE]
+> Your PC and phone must be on the same wireless network.
1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -194,19 +195,19 @@ To add another Desktop app, click the ellipsis **…**. After you’ve entered t
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
-```ps1
+```powershell
Get-AppLockerFileInformation -Path ""
```
Where `""` goes to the location of the app on the device. For example:
-```ps1
+```powershell
Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
```
In this example, you'd get the following info:
-```
+```console
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
@@ -279,22 +280,22 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
This is the XML file that AppLocker creates for Microsoft Dynamics 365.
```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
@@ -335,6 +336,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
+
**To import a list of protected apps using Microsoft Intune**
1. In **Protected apps**, click **Import apps**.
@@ -428,7 +430,7 @@ Separate multiple resources with the "|" delimiter.
If you don’t use proxy servers, you must also include the "," delimiter just before the "|".
For example:
-```code
+```console
URL <,proxy>|URL <,proxy>
```
@@ -441,7 +443,7 @@ In this case, Windows blocks the connection by default.
To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
For example:
-```code
+```console
URL <,proxy>|URL <,proxy>/*AppCompat*/
```
@@ -449,14 +451,14 @@ When you use this string, we recommend that you also turn on [Azure Active Direc
Value format with proxy:
-```code
+```console
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
```
Value format without proxy:
-```code
-contoso.sharepoint.com|contoso.visualstudio.com
+```console
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
```
### Protected domains
@@ -465,7 +467,7 @@ Specify the domains used for identities in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
Separate multiple domains with the "|" delimiter.
-```code
+```console
exchange.contoso.com|contoso.com|region.contoso.com
```
@@ -475,7 +477,7 @@ Specify the DNS suffixes used in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
Separate multiple resources with the "," delimiter.
-```code
+```console
corp.contoso.com,region.contoso.com
```
@@ -488,7 +490,7 @@ This list shouldn’t include any servers listed in your Internal proxy servers
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
-```code
+```console
proxy.contoso.com:80;proxy2.contoso.com:443
```
@@ -500,7 +502,7 @@ This list shouldn’t include any servers listed in your Proxy servers list.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
-```code
+```console
contoso.internalproxy1.com;contoso.internalproxy2.com
```
@@ -539,7 +541,7 @@ Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
Separate multiple resources with the "," delimiter.
-```code
+```console
sts.contoso.com,sts.contoso2.com
```
@@ -597,8 +599,8 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
->[!NOTE]
->Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
+ > [!NOTE]
+ > Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 8c01645295..a099742145 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app |
-| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
+| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 340c9edb2a..c1cd7193c0 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil
| Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. |
- If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
+ If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
| Direct Access is incompatible with WIP. |
Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. |
- We recommend that you use VPN for client access to your intranet resources.
Note
VPN is optional and isn’t required by WIP. |
+ We recommend that you use VPN for client access to your intranet resources.
Note
VPN is optional and isn’t required by WIP. |
- | NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. |
- The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. |
- If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. |
+ NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. |
+ The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. |
+ If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. |
| Cortana can potentially allow data leakage if it’s on the allowed apps list. |
@@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil
- Start the installer directly from the file share.
-OR-
- Decrypt the locally copied files needed by the installer.
-OR-
- - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
+ - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
@@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil
| Redirected folders with Client Side Caching are not compatible with WIP. |
Apps might encounter access errors while attempting to read a cached, offline file. |
- Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note
For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. |
+ Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note
For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. |
| An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. |
- Data copied from the WIP-managed device is marked as Work. Data copied to the WIP-managed device is not marked as Work. Local Work data copied to the WIP-managed device remains Work data. Work data that is copied between two apps in the same session remains data. |
+ Data copied from the WIP-managed device is marked as Work. Data copied to the WIP-managed device is not marked as Work. Local Work data copied to the WIP-managed device remains Work data. Work data that is copied between two apps in the same session remains data. |
Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. |
| You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. |
- A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. |
- Open File Explorer and change the file ownership to Personal before you upload. |
+ A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. |
+ Open File Explorer and change the file ownership to Personal before you upload. |
| ActiveX controls should be used with caution. |
@@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil
Format drive for NTFS, or use a different drive. |
- | WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
+ | WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
- AppDataRoaming
- Desktop
@@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
|
WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. |
- Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
+ | Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
|
@@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
- | Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected.
+ | Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected.
|
If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
|
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 961744bbf6..7353daae25 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc
| Encrypt and decrypt files using File Explorer. |
- For desktop:
+ | For desktop:
- - Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
- - In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
+ - Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
+ - In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
- For mobile:
+ For mobile:
- - Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
- - Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
- - Select the same file, click File ownership from the drop down menu, and then click Personal.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
+ - Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
+ - Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
+ - Select the same file, click File ownership from the drop down menu, and then click Personal.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
|
| Create work documents in enterprise-allowed apps. |
- For desktop:
+ | For desktop:
- - Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important
Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either Create a Windows Information Protection (WIP) policy using Microsoft Intune or Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager, based on your deployment system.
+ - Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important
Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either Create a Windows Information Protection (WIP) policy using Microsoft Intune or Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager, based on your deployment system.
- For mobile:
+ For mobile:
- - Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
+ - Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
- Open the same document and attempt to save it to a non-work-related location.
WIP should stop you from saving the file to this location.
- - Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
+ - Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
|
@@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
- Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
The app shouldn't be able to access the file.
- - Try double-clicking or tapping on the work-encrypted file.
If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
+ - Try double-clicking or tapping on the work-encrypted file.
If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
|
@@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc
Copy and paste from enterprise apps to non-enterprise apps. |
- - Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
- - Click Keep at work.
The content isn't pasted into the non-enterprise app.
- - Repeat Step 1, but this time click Change to personal, and try to paste the content again.
The content is pasted into the non-enterprise app.
+ - Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
+ - Click Keep at work.
The content isn't pasted into the non-enterprise app.
+ - Repeat Step 1, but this time click Change to personal, and try to paste the content again.
The content is pasted into the non-enterprise app.
- Try copying and pasting content between apps on your allowed apps list.
The content should copy and paste between apps without any warning messages.
|
@@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc
Drag and drop from enterprise apps to non-enterprise apps. |
- - Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
- - Click Keep at work.
The content isn't dropped into the non-enterprise app.
- - Repeat Step 1, but this time click Change to personal, and try to drop the content again.
The content is dropped into the non-enterprise app.
+ - Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
+ - Click Keep at work.
The content isn't dropped into the non-enterprise app.
+ - Repeat Step 1, but this time click Change to personal, and try to drop the content again.
The content is dropped into the non-enterprise app.
- Try dragging and dropping content between apps on your allowed apps list.
The content should move between the apps without any warning messages.
|
@@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc
Share between enterprise apps and non-enterprise apps. |
- - Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
- - Click Keep at work.
The content isn't shared into Facebook.
- - Repeat Step 1, but this time click Change to personal, and try to share the content again.
The content is shared into Facebook.
+ - Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
+ - Click Keep at work.
The content isn't shared into Facebook.
+ - Repeat Step 1, but this time click Change to personal, and try to share the content again.
The content is shared into Facebook.
- Try sharing content between apps on your allowed apps list.
The content should share between the apps without any warning messages.
|
@@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
- Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
- - Open File Explorer and make sure your modified files are appearing with a Lock icon.
- - Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note
Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
+ - Open File Explorer and make sure your modified files are appearing with a Lock icon.
+ - Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note
Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
|
@@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your shared files can use WIP. |
- - Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
+ - Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
- Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
- Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
The app shouldn't be able to access the file share.
@@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
- Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
- Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
Both browsers should respect the enterprise and personal boundary.
- - Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
IE11 shouldn't be able to access the sites.
Note
Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
+ - Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
IE11 shouldn't be able to access the sites.
Note
Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
|
@@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your Virtual Private Network (VPN) can be auto-triggered. |
- - Set up your VPN network to start based on the WIPModeID setting.
For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
+ - Set up your VPN network to start based on the WIPModeID setting.
For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
- Start an app from your allowed apps list.
The VPN network should automatically start.
- Disconnect from your network and then start an app that isn't on your allowed apps list.
The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
@@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc
| Unenroll client devices from WIP. |
- - Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
The device should be removed and all of the enterprise content for that managed account should be gone.
Important
On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
+ - Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
The device should be removed and all of the enterprise content for that managed account should be gone.
Important
On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
|
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a054331a33..78cbfc5ab5 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -85,6 +85,7 @@
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
+##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
#### [Network protection]()
@@ -462,7 +463,7 @@
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-### [Use audit mode](microsoft-defender-atp/audit-windows-defender)
+### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
## Reference
### [Management and APIs]()
@@ -557,7 +558,7 @@
####### [Score methods and properties](microsoft-defender-atp/score.md)
####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md)
+####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
###### [Software]()
####### [Software methods and properties](microsoft-defender-atp/software.md)
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index b062a6e72b..505da9bbb0 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -1,6 +1,6 @@
---
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
-description: Appendix A, Security monitoring recommendations for many audit events
+description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index f6d870f605..9adb4cfd74 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Privilege Use Events (Windows 10)
-description: This security policy setting is not used.
+description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 1e73acf50d..3856637432 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,6 +1,6 @@
---
title: Basic security audit policies (Windows 10)
-description: Before you implement auditing, you must decide on an auditing policy.
+description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 22a7d07d71..5f0730407d 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -1,6 +1,6 @@
---
title: 4608(S) Windows is starting up. (Windows 10)
-description: Describes security event 4608(S) Windows is starting up.
+description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-
+
***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
@@ -30,12 +30,13 @@ This event is logged when LSASS.EXE process starts and the auditing subsystem is
It typically generates during operating system startup process.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
-
-
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 9231f28b82..0490e0ae3e 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -1,6 +1,6 @@
---
title: 4615(S) Invalid use of LPC port. (Windows 10)
-description: Describes security event 4615(S) Invalid use of LPC port.
+description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 8681a67e8f..3f700f0719 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -1,6 +1,6 @@
---
title: 4616(S) The system time was changed. (Windows 10)
-description: Describes security event 4616(S) The system time was changed.
+description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-
+
***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
@@ -32,12 +32,13 @@ This event is always logged regardless of the "Audit Security State Change" sub-
You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
-
-
@@ -87,7 +88,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > [!NOTE]
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
@@ -161,7 +163,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
For 4616(S): The system time was changed.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 08fcff8219..84cf52d450 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -1,6 +1,6 @@
---
title: 4625(F) An account failed to log on. (Windows 10)
-description: Describes security event 4625(F) An account failed to log on.
+description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-
+
***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
@@ -32,12 +32,13 @@ It generates on the computer where logon attempt was made, for example, if logon
This event generates on domain controllers, member servers, and workstations.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
-
-
@@ -93,7 +94,8 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > [!NOTE]
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
@@ -109,27 +111,30 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
-| Logon Type | Logon Title | Description |
-|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 2 | Interactive | A user logged on to this computer. |
-| 3 | Network | A user or computer logged on to this computer from the network. |
-| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
-| 5 | Service | A service was started by the Service Control Manager. |
-| 7 | Unlock | This workstation was unlocked. |
-| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
-| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
-| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
-> Table: Windows Logon Types
+ **Table 11: Windows Logon Types**
+
+ | Logon Type | Logon Title | Description |
+ |-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | 2 | Interactive | A user logged on to this computer. |
+ | 3 | Network | A user or computer logged on to this computer from the network. |
+ | 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+ | 5 | Service | A service was started by the Service Control Manager. |
+ | 7 | Unlock | This workstation was unlocked. |
+ | 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+ | 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+ | 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+ | 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
**Account For Which Logon Failed:**
- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > [!NOTE]
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
@@ -151,35 +156,36 @@ This event generates on domain controllers, member servers, and workstations.
- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
-- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in “Table 12. Windows logon status codes.”
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
-| Status\\Sub-Status Code | Description |
-|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0XC000005E | There are currently no logon servers available to service the logon request. |
-| 0xC0000064 | User logon with misspelled or bad user account |
-| 0xC000006A | User logon with misspelled or bad password |
-| 0XC000006D | This is either due to a bad username or authentication information |
-| 0XC000006E | Unknown user name or bad password. |
-| 0xC000006F | User logon outside authorized hours |
-| 0xC0000070 | User logon from unauthorized workstation |
-| 0xC0000071 | User logon with expired password |
-| 0xC0000072 | User logon to account disabled by administrator |
-| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
-| 0XC0000133 | Clocks between DC and other computer too far out of sync |
-| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
-| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
-| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
-| 0xC0000193 | User logon with expired account |
-| 0XC0000224 | User is required to change password at next logon |
-| 0XC0000225 | Evidently a bug in Windows and not a risk |
-| 0xC0000234 | User logon with account locked |
-| 0XC00002EE | Failure Reason: An Error occurred during Logon |
-| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
-| 0x0 | Status OK. |
+ **Table 12: Windows logon status codes.**
-> Table: Windows logon status codes.
->
-> **Note** To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+ | Status\\Sub-Status Code | Description |
+ |-------------------------|------------------------------------------------------------------------------------------------------|
+ | 0XC000005E | There are currently no logon servers available to service the logon request. |
+ | 0xC0000064 | User logon with misspelled or bad user account |
+ | 0xC000006A | User logon with misspelled or bad password |
+ | 0XC000006D | This is either due to a bad username or authentication information |
+ | 0XC000006E | Unknown user name or bad password. |
+ | 0xC000006F | User logon outside authorized hours |
+ | 0xC0000070 | User logon from unauthorized workstation |
+ | 0xC0000071 | User logon with expired password |
+ | 0xC0000072 | User logon to account disabled by administrator |
+ | 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
+ | 0XC0000133 | Clocks between DC and other computer too far out of sync |
+ | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
+ | 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
+ | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
+ | 0xC0000193 | User logon with expired account |
+ | 0XC0000224 | User is required to change password at next logon |
+ | 0XC0000225 | Evidently a bug in Windows and not a risk |
+ | 0xC0000234 | User logon with account locked |
+ | 0XC00002EE | Failure Reason: An Error occurred during Logon |
+ | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+ | 0x0 | Status OK. |
+
+> [!NOTE]
+> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
More information:
@@ -187,7 +193,7 @@ More information:
**Process Information:**
-- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -241,7 +247,8 @@ More information:
For 4625(F): An account failed to log on.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
@@ -277,17 +284,17 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table:
-| **Field** | Value to monitor for |
-|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
-| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
+ | **Field** | Value to monitor for |
+ |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index d0474f5941..2adc4b2f1b 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -1,6 +1,6 @@
---
title: 4626(S) User/Device claims information. (Windows 10)
-description: Describes security event 4626(S) User/Device claims information.
+description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -157,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co
- “dadmin” – claim value.
-**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
+**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 37bc83b16f..fb47564ea9 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -1,6 +1,6 @@
---
title: 4627(S) Group membership information. (Windows 10)
-description: Describes security event 4627(S) Group membership information.
+description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index c7fd725041..d76dc2df61 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -1,6 +1,6 @@
---
title: 4634(S) An account was logged off. (Windows 10)
-description: Describes security event 4634(S) An account was logged off.
+description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 3cb68ae77c..26bbcd86f8 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -1,6 +1,6 @@
---
title: 4647(S) User initiated logoff. (Windows 10)
-description: Describes security event 4647(S) User initiated logoff.
+description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 0c3b10dff5..dce0305250 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -1,6 +1,6 @@
---
title: 4649(S) A replay attack was detected. (Windows 10)
-description: Describes security event 4649(S) A replay attack was detected.
+description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index f27a05c4d3..cb009c97df 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -1,6 +1,6 @@
---
title: 4657(S) A registry value was modified. (Windows 10)
-description: Describes security event 4657(S) A registry value was modified.
+description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 1569c43d0f..c461aa3d20 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -1,6 +1,6 @@
---
title: 4658(S) The handle to an object was closed. (Windows 10)
-description: Describes security event 4658(S) The handle to an object was closed.
+description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 7c03634e8e..0823b6ae3e 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -1,6 +1,6 @@
---
title: 4660(S) An object was deleted. (Windows 10)
-description: Describes security event 4660(S) An object was deleted.
+description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 45dcd000c9..bc6d20907b 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -274,5 +274,5 @@ For file system and registry objects, the following recommendations apply.
- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
-- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 1641acbc10..81b9fd94a0 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -22,7 +22,7 @@ ms.author: dansimp
-Subcategory: Audit Special Logon
+Subcategory: Audit Special Logon
***Event Description:***
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 1caa24d32d..c647485d66 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -1,6 +1,6 @@
---
title: 4673(S, F) A privileged service was called. (Windows 10)
-description: Describes security event 4673(S, F) A privileged service was called.
+description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -135,40 +135,40 @@ Failure event generates when service call attempt fails.
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
-| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
-| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
-| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
-| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
-| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. |
-| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
-| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
-| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
-| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
-| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
-| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
-| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
-| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
-| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
-| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
-| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
-| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
-| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
-| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| Audit Sensitive Privilege Use | SeTcbPrivilege:
Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
-| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | SeTcbPrivilege:
Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index b4146f681a..5781254277 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -157,42 +157,42 @@ Failure event generates when operation attempt fails.
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
-| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
-| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
-| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
-| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
-| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
-| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
-| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
-| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
-| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
-| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
-| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
-| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
-| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
-| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
-| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
-| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
-| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
-| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. |
-| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
-| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Sensitive Privilege Use | SeRestorePrivilege:
Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| Audit Sensitive Privilege Use | SeSecurityPrivilege:
Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
-| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | SeRestorePrivilege:
Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| Audit Sensitive Privilege Use | SeSecurityPrivilege:
Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 20ed1e1911..978d25bf39 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -1,6 +1,6 @@
---
title: 4675(S) SIDs were filtered. (Windows 10)
-description: Describes security event 4675(S) SIDs were filtered.
+description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 55ace9419d..cba2f4eb49 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -1,6 +1,6 @@
---
title: 4688(S) A new process has been created. (Windows 10)
-description: Describes security event 4688(S) A new process has been created.
+description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -206,9 +206,9 @@ For 4688(S): A new process has been created.
- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index cf6f0fce07..81c27d0423 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -1,6 +1,6 @@
---
title: 4689(S) A process has exited. (Windows 10)
-description: Describes security event 4689(S) A process has exited.
+description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 2742b717ce..ba941d6b5d 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -1,6 +1,6 @@
---
title: 4698(S) A scheduled task was created. (Windows 10)
-description: Describes security event 4698(S) A scheduled task was created.
+description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 280aad111e..35eccf157c 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -1,6 +1,6 @@
---
title: 4699(S) A scheduled task was deleted. (Windows 10)
-description: Describes security event 4699(S) A scheduled task was deleted.
+description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index a53997c7b8..7de372086e 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -1,6 +1,6 @@
---
title: 4700(S) A scheduled task was enabled. (Windows 10)
-description: Describes security event 4700(S) A scheduled task was enabled.
+description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index d1991b0941..efe36fcc4d 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -1,6 +1,6 @@
---
title: 4701(S) A scheduled task was disabled. (Windows 10)
-description: Describes security event 4701(S) A scheduled task was disabled.
+description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 01ef0250a8..4ae828770c 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -1,6 +1,6 @@
---
title: 4702(S) A scheduled task was updated. (Windows 10)
-description: Describes security event 4702(S) A scheduled task was updated.
+description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 9e2056f25d..7483483ea2 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -1,6 +1,6 @@
---
title: 4703(S) A user right was adjusted. (Windows 10)
-description: Describes security event 4703(S) A user right was adjusted.
+description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index 7db8499254..bc3e9d5c3a 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -1,6 +1,6 @@
---
title: 4704(S) A user right was assigned. (Windows 10)
-description: Describes security event 4704(S) A user right was assigned.
+description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index a89086caee..5b337c9941 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -1,6 +1,6 @@
---
title: 4705(S) A user right was removed. (Windows 10)
-description: Describes security event 4705(S) A user right was removed.
+description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index c566c246bf..2a57c47db5 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -1,6 +1,6 @@
---
title: 4706(S) A new trust was created to a domain. (Windows 10)
-description: Describes security event 4706(S) A new trust was created to a domain.
+description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index f998718c41..dc7e2f5419 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -1,6 +1,6 @@
---
title: 4707(S) A trust to a domain was removed. (Windows 10)
-description: Describes security event 4707(S) A trust to a domain was removed.
+description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index a4809630b7..69c6f2f153 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -1,6 +1,6 @@
---
title: 4713(S) Kerberos policy was changed. (Windows 10)
-description: Describes security event 4713(S) Kerberos policy was changed.
+description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 4498dfe0fc..e634cf0bbf 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -1,6 +1,6 @@
---
title: 4719(S) System audit policy was changed. (Windows 10)
-description: Describes security event 4719(S) System audit policy was changed.
+description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index fffcee9e09..d18fd86200 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -1,6 +1,6 @@
---
title: 4720(S) A user account was created. (Windows 10)
-description: Describes security event 4720(S) A user account was created.
+description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 2029ba7eae..97a958aba9 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -1,6 +1,6 @@
---
title: 4722(S) A user account was enabled. (Windows 10)
-description: Describes security event 4722(S) A user account was enabled.
+description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index e1103b365e..c1bdc4c1f4 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -1,6 +1,6 @@
---
title: 4725(S) A user account was disabled. (Windows 10)
-description: Describes security event 4725(S) A user account was disabled.
+description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index 5d48cc9ae6..ae0997e85e 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -1,6 +1,6 @@
---
title: 4726(S) A user account was deleted. (Windows 10)
-description: Describes security event 4726(S) A user account was deleted.
+description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index e9761cde7b..3ad4e0bb93 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -1,6 +1,6 @@
---
title: 4738(S) A user account was changed. (Windows 10)
-description: Describes security event 4738(S) A user account was changed.
+description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -32,7 +32,7 @@ This event generates on domain controllers, member servers, and workstations.
For each change, a separate 4738 event will be generated.
-You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index 9d9732a82c..644aa94187 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -1,6 +1,6 @@
---
title: 4739(S) Domain Policy was changed. (Windows 10)
-description: Describes security event 4739(S) Domain Policy was changed.
+description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 95cdfe7ee6..68838caedf 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -1,6 +1,6 @@
---
title: 4740(S) A user account was locked out. (Windows 10)
-description: Describes security event 4740(S) A user account was locked out.
+description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index ef907d69b0..22809b4f8f 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -1,6 +1,6 @@
---
title: 4741(S) A computer account was created. (Windows 10)
-description: Describes security event 4741(S) A computer account was created.
+description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -242,7 +242,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
-- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
HOST/Win81.contoso.local
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index b39135ee00..0d9f50526b 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -1,6 +1,6 @@
---
title: 4742(S) A computer account was changed. (Windows 10)
-description: Describes security event 4742(S) A computer account was changed.
+description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -36,7 +36,7 @@ For each change, a separate 4742 event will be generated.
Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
-You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
@@ -243,7 +243,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
- Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
+ Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
HOST/Win81.contoso.local
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 3fc25787d1..3cc90698fb 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -1,6 +1,6 @@
---
title: 4743(S) A computer account was deleted. (Windows 10)
-description: Describes security event 4743(S) A computer account was deleted.
+description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 28f41dff94..86df9d9645 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -1,6 +1,6 @@
---
title: 4764(S) A group's type was changed. (Windows 10)
-description: Describes security event 4764(S) A group’s type was changed.
+description: "Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed."
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index c5310d9f72..3ea2c4e756 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -1,6 +1,6 @@
---
title: 4765(S) SID History was added to an account. (Windows 10)
-description: Describes security event 4765(S) SID History was added to an account.
+description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index e5f3f71068..87baefbc54 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -1,6 +1,6 @@
---
title: 4767(S) A user account was unlocked. (Windows 10)
-description: Describes security event 4767(S) A user account was unlocked.
+description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index d8e637e093..af44f02711 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -1,6 +1,6 @@
---
title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
-description: Describes security event 4771(F) Kerberos pre-authentication failed.
+description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index df9ff558e3..21a33e20a2 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -1,6 +1,6 @@
---
title: 4774(S, F) An account was mapped for logon. (Windows 10)
-description: Describes security event 4774(S, F) An account was mapped for logon.
+description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 042f226a20..a48651e686 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -1,6 +1,6 @@
---
title: 4781(S) The name of an account was changed. (Windows 10)
-description: Describes security event 4781(S) The name of an account was changed.
+description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index e661f5ed3d..b0be9a0f3a 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -1,6 +1,6 @@
---
title: 4800(S) The workstation was locked. (Windows 10)
-description: Describes security event 4800(S) The workstation was locked.
+description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index 937d79b878..61e2682379 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -1,6 +1,6 @@
---
title: 4801(S) The workstation was unlocked. (Windows 10)
-description: Describes security event 4801(S) The workstation was unlocked.
+description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 41f5ba4f6e..a00ead7497 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -1,6 +1,6 @@
---
title: 4802(S) The screen saver was invoked. (Windows 10)
-description: Describes security event 4802(S) The screen saver was invoked.
+description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index c50d78d76c..0354849e13 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -1,6 +1,6 @@
---
title: 4803(S) The screen saver was dismissed. (Windows 10)
-description: Describes security event 4803(S) The screen saver was dismissed.
+description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 4e45693aaa..3729924d93 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -1,6 +1,6 @@
---
title: 4826(S) Boot Configuration Data loaded. (Windows 10)
-description: Describes security event 4826(S) Boot Configuration Data loaded.
+description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index 62ced88fe8..5556b207b5 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -1,6 +1,6 @@
---
title: 4864(S) A namespace collision was detected. (Windows 10)
-description: Describes security event 4864(S) A namespace collision was detected.
+description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 34454c6d14..6610d670eb 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -285,5 +285,5 @@ For 4907(S): Auditing settings on object were changed.
- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
-- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 847263668e..7573adb5f7 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -1,6 +1,6 @@
---
title: 4908(S) Special Groups Logon table modified. (Windows 10)
-description: Describes security event 4908(S) Special Groups Logon table modified.
+description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 4e98d50f44..cf141b9a2d 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -1,6 +1,6 @@
---
title: 4912(S) Per User Audit Policy was changed. (Windows 10)
-description: Describes security event 4912(S) Per User Audit Policy was changed.
+description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index 18964e5c16..c9e2159bc0 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -1,6 +1,6 @@
---
title: 4935(F) Replication failure begins. (Windows 10)
-description: Describes security event 4935(F) Replication failure begins.
+description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 214811e890..d9d60e43be 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -1,6 +1,6 @@
---
title: 4936(S) Replication failure ends. (Windows 10)
-description: Describes security event 4936(S) Replication failure ends.
+description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index 43677f0e97..1f6c100b8d 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -1,6 +1,6 @@
---
title: 5039(-) A registry key was virtualized. (Windows 10)
-description: Describes security event 5039(-) A registry key was virtualized.
+description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index adfb677ffd..0bf8362113 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -1,6 +1,6 @@
---
title: 5051(-) A file was virtualized. (Windows 10)
-description: Describes security event 5051(-) A file was virtualized.
+description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index 508bb9d381..008ecb3292 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -1,6 +1,6 @@
---
title: 5058(S, F) Key file operation. (Windows 10)
-description: Describes security event 5058(S, F) Key file operation.
+description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index e3f73073f3..096fcfe2c9 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -1,6 +1,6 @@
---
title: 5059(S, F) Key migration operation. (Windows 10)
-description: Describes security event 5059(S, F) Key migration operation.
+description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index bd0414e3ca..96344c475f 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -1,6 +1,6 @@
---
title: 5060(F) Verification operation failed. (Windows 10)
-description: Describes security event 5060(F) Verification operation failed.
+description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 271b5d582b..d283324906 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -1,6 +1,6 @@
---
title: 5061(S, F) Cryptographic operation. (Windows 10)
-description: Describes security event 5061(S, F) Cryptographic operation.
+description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index a4f705ba93..3d3d5152cc 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -145,7 +145,7 @@ For 5140(S, F): A network share object was accessed.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
+- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 858e4a608f..fdb2fe2741 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -1,6 +1,6 @@
---
title: 5142(S) A network share object was added. (Windows 10)
-description: Describes security event 5142(S) A network share object was added.
+description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -104,7 +104,7 @@ For 5142(S): A network share object was added.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
+- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
- We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index c7f46521ae..a62699a745 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -1,6 +1,6 @@
---
title: 5143(S) A network share object was modified. (Windows 10)
-description: Describes security event 5143(S) A network share object was modified.
+description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -259,5 +259,5 @@ For 5143(S): A network share object was modified.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
+- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 4c20a34092..581c19e3c9 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -1,6 +1,6 @@
---
title: 5144(S) A network share object was deleted. (Windows 10)
-description: Describes security event 5144(S) A network share object was deleted.
+description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -106,5 +106,5 @@ For 5144(S): A network share object was deleted.
- If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
-- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
+- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 9889690df3..fcc35ba385 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -1,6 +1,6 @@
---
title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
-description: Describes security event 5168(F) SPN check for SMB/SMB2 failed.
+description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 396bf6af15..ca5e8e02d6 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -1,6 +1,6 @@
---
title: 6407(-) 1%. (Windows 10)
-description: Describes security event 6407(-) 1%.
+description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 37b3ec6aaf..2ede6f7fce 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -1,6 +1,6 @@
---
title: 6420(S) A device was disabled. (Windows 10)
-description: Describes security event 6420(S) A device was disabled.
+description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 5c4de3d822..606f0228a6 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -1,6 +1,6 @@
---
title: 6422(S) A device was enabled. (Windows 10)
-description: Describes security event 6422(S) A device was enabled.
+description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index 5a7b38d9c1..42a1f36edd 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -1,6 +1,6 @@
---
title: Other Events (Windows 10)
-description: Describes the Other Events auditing subcategory.
+description: Describes the Other Events auditing subcategory, which includes events that are generated automatically and enabled by default.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
index 5e2defcf75..3ebdf7bf95 100644
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ b/windows/security/threat-protection/device-guard/memory-integrity.md
@@ -1,7 +1,7 @@
---
title: Memory integrity
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Memory integrity.
+description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 725e9d2023..d594900ce7 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 7bc3af8993..262058bf1d 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -166,10 +166,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -236,10 +236,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -251,7 +251,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.15063 |
#3094 |
#3094
@@ -323,10 +323,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -338,7 +338,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.14393 |
#2936 |
FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
@@ -416,10 +416,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -431,7 +431,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.10586 |
#2605 |
FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
@@ -514,10 +514,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -529,7 +529,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.10240 |
#2605 |
FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
@@ -612,10 +612,10 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -627,7 +627,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.3.9600 6.3.9600.17042 |
#2356 |
FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
@@ -689,10 +689,10 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
@@ -705,7 +705,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.2.9200 |
#1891 |
FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
@@ -791,10 +791,10 @@ Validated Editions: Windows 7, Windows 7 SP1
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
@@ -915,10 +915,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Boot Manager (bootmgr) |
@@ -981,10 +981,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced Cryptographic Provider (RSAENH) |
@@ -1033,10 +1033,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1074,10 +1074,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| DSS/Diffie-Hellman Enhanced Cryptographic Provider |
@@ -1108,10 +1108,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Microsoft Enhanced Cryptographic Provider |
@@ -1135,10 +1135,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module |
@@ -1162,10 +1162,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1199,10 +1199,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1240,10 +1240,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider |
@@ -1270,10 +1270,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider |
@@ -1297,10 +1297,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider |
@@ -1318,10 +1318,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base Cryptographic Provider |
@@ -1349,10 +1349,10 @@ Validated Editions: Standard, Datacenter
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -1413,10 +1413,10 @@ Validated Editions: Standard, Datacenter
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -1483,10 +1483,10 @@ Validated Editions: Standard, Datacenter, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -1497,7 +1497,7 @@ Validated Editions: Standard, Datacenter, Storage Server
Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.14393 |
2936 |
FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
@@ -1562,10 +1562,10 @@ Validated Editions: Server, Storage Server,
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -1576,7 +1576,7 @@ Validated Editions: Server, Storage Server,
Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.3.9600 6.3.9600.17042 |
2356 |
FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
@@ -1638,10 +1638,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
@@ -1654,7 +1654,7 @@ Validated Editions: Server, Storage Server
Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.2.9200 |
1891 |
FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
@@ -1728,10 +1728,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Boot Manager (bootmgr) |
@@ -1742,7 +1742,7 @@ Validated Editions: Server, Storage Server
Other algorithms: MD5
-| Winload OS Loader (winload.exe) |
+Winload OS Loader (winload.exe) |
6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 |
1333 |
FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
@@ -1806,10 +1806,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Boot Manager (bootmgr) |
@@ -1820,7 +1820,7 @@ Validated Editions: Server, Storage Server
Other algorithms: N/A
-| Winload OS Loader (winload.exe) |
+Winload OS Loader (winload.exe) |
6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 |
1005 |
FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
@@ -1884,10 +1884,10 @@ Validated Editions: Server, Storage Server
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
@@ -1925,10 +1925,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1972,10 +1972,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -2021,10 +2021,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced Cryptographic Provider |
@@ -2056,10 +2056,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced Cryptographic Provider |
@@ -2083,10 +2083,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Outlook Cryptographic Provider (EXCHCSP) |
@@ -2113,8 +2113,8 @@ The following tables are organized by cryptographic algorithms with their modes,
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -2563,137 +2563,137 @@ The following tables are organized by cryptographic algorithms with their modes,
Version 10.0.16299 |
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627
Version 10.0.15063 |
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+ | KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
AES Val#4624 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
Version 10.0.15063 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#4624
|
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
Version 10.0.15063 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
Version 10.0.15063 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
Version 7.00.2872 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
Version 8.00.6246 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
Version 7.00.2872 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
Version 8.00.6246 |
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
Version 10.0.14393 |
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
Version 10.0.14393 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
Version 10.0.14393 |
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
+ | KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
AES Val#4064 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
Version 10.0.14393 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#4064 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
Version 10.0.14393 |
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+ | KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
AES Val#3629 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
Version 10.0.10586 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#3629 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
Version 10.0.10586 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
Version 10.0.10586 |
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
@@ -2706,141 +2706,141 @@ GMAC_Supported
Version 10.0.10240 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#3497 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
Version 10.0.10240 |
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
Version 10.0.10240 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
Version 6.3.9600 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#2832 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
Version 6.3.9600 |
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
-OtherIVLen_Supported
-GMAC_Supported |
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
+OtherIVLen_Supported
+GMAC_Supported |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
Version 6.3.9600 |
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+ | CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
AES Val#2197
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+ CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
AES Val#2197
-GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported |
+GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
+GMAC_Supported
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#2196 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 |
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+ | CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
AES Val#1168 |
Windows Server 2008 R2 and SP1 CNG algorithms #1187
Windows 7 Ultimate and SP1 CNG algorithms #1178 |
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+ | CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
AES Val#1168 |
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 |
-GCM
-GMAC |
+GCM
+GMAC |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed |
-| CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 |
-| CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
Windows Server 2008 CNG algorithms #757
Windows Vista Ultimate SP1 CNG algorithms #756 |
-CBC ( e/d; 128 , 256 );
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+CBC ( e/d; 128 , 256 );
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
Windows Vista Ultimate BitLocker Drive Encryption #715
Windows Vista Ultimate BitLocker Drive Encryption #424 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 ); |
Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739
Windows Vista Symmetric Algorithm Implementation #553 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781
@@ -2865,8 +2865,8 @@ Deterministic Random Bit Generator (DRBG)
|
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -2934,74 +2934,74 @@ Deterministic Random Bit Generator (DRBG)
Version 10.0.16299 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
Version 10.0.15063 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
Version 10.0.15063 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
Version 7.00.2872 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
Version 8.00.6246 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
Version 7.00.2872 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
Version 8.00.6246 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
Version 10.0.14393 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
Version 10.0.14393 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
Version 10.0.10586 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
Version 10.0.10240 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
Version 6.3.9600 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 |
-| DRBG (SP 800–90) |
+DRBG (SP 800–90) |
Windows Vista Ultimate SP1, vendor-affirmed |
@@ -3017,8 +3017,8 @@ Deterministic Random Bit Generator (DRBG)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -3137,118 +3137,118 @@ Deterministic Random Bit Generator (DRBG)
Version 10.0.16299 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
Version 10.0.15063 |
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+ | FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val# 3649 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
Version 7.00.2872 |
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+ | FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val#3648 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
Version 8.00.6246 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256)
+SIG(gen)PARMS TESTED: [ (2048,256)
SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 3347
DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
Version 10.0.14393 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
+KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 3047
DRBG: Val# 955 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
Version 10.0.10586 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 2886
DRBG: Val# 868 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
Version 10.0.10240 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256)
+PQG(ver)PARMS TESTED: [ (2048,256)
SHA( 256 ); (3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 2373
DRBG: Val# 489 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
Version 6.3.9600 |
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: #1903
DRBG: #258
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: #1903
DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 |
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: #1902
DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1773
DRBG: Val# 193
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1081
DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. |
@@ -3256,8 +3256,8 @@ Some of the previously validated components for this validation have been remove
Windows 7 Ultimate and SP1 CNG algorithms #386
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1081
RNG: Val# 649
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. |
@@ -3265,16 +3265,16 @@ Some of the previously validated components for this validation have been remove
Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. |
Windows Server 2008 CNG algorithms #284
Windows Vista Ultimate SP1 CNG algorithms #283 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 753
RNG: Val# 435
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. |
@@ -3282,8 +3282,8 @@ Some of the previously validated components for this validation have been remove
Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 618
RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. |
@@ -3291,61 +3291,61 @@ Some of the previously validated components for this validation have been remove
Windows Vista Enhanced DSS (DSSENH) #226
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 784
RNG: Val# 448
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. |
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 783
RNG: Val# 447
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 |
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
SHS: Val# 611
RNG: Val# 314 |
Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 |
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
SHS: Val# 385 |
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 |
-FIPS186-2:
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
SHS: Val# 181
|
Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 |
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
+ | FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
SHS: SHA-1 (BYTE)
-SIG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE) |
Windows 2000 DSSENH.DLL #29
Windows 2000 DSSBASE.DLL #28
@@ -3353,12 +3353,12 @@ SHS: SHA-1 (BYTE) |
Windows NT 4 SP6 DSSBASE.DLL #25
-FIPS186-2: PRIME;
-FIPS186-2:
-KEYGEN(Y):
+ | FIPS186-2: PRIME;
+FIPS186-2:
+KEYGEN(Y):
SHS: SHA-1 (BYTE)
-SIG(gen):
-SIG(ver) MOD(1024);
+ SIG(gen):
+SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE) |
Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 |
@@ -3375,8 +3375,8 @@ SHS: SHA-1 (BYTE)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -3653,93 +3653,93 @@ SHS: SHA-1 (BYTE) |
Version 10.0.16299
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
Version 10.0.15063 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
Version 10.0.15063 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
Version 10.0.15063 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430 |
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val# 3649
+DRBG:Val# 1430 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
Version 7.00.2872 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429 |
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val#3648
+DRBG:Val# 1429 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
Version 8.00.6246 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+PKV: CURVES( P-256 P-384 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
SHS: Val# 3347
DRBG: Val# 1222 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
Version 10.0.14393 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val# 3347
DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
Version 10.0.14393 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val# 3047
DRBG: Val# 955 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
Version 10.0.10586 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val# 2886
DRBG: Val# 868 |
@@ -3747,79 +3747,79 @@ DRBG:
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val#2373
DRBG: Val# 489 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
Version 6.3.9600 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: #1903
-DRBG: #258
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+SIG(ver):CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295. |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. |
Windows Server 2008 R2 and SP1 CNG algorithms #142
Windows 7 Ultimate and SP1 CNG algorithms #141 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. |
Windows Server 2008 CNG algorithms #83
Windows Vista Ultimate SP1 CNG algorithms #82 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. |
Windows Vista CNG algorithms #60 |
@@ -3836,8 +3836,8 @@ Some of the previously validated components for this validation have been remove
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -3983,265 +3983,265 @@ Some of the previously validated components for this validation have been remove
Version 10.0.16299 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
Version 10.0.15063 |
-HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
Version 10.0.15063 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
Version 7.00.2872 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
Version 8.00.6246 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
Version 7.00.2872 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
Version 8.00.6246 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS Val# 3347 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
Version 10.0.14393 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
Version 10.0.14393 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHS Val# 3047
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS Val# 3047
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS Val# 3047
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS Val# 3047 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
Version 10.0.10586 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHSVal# 2886
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
Version 10.0.10240 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHS Val#2373
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS Val#2373
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS Val#2373
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS Val#2373 |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
Version 6.3.9600 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
Version 5.2.29344 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS#1903 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS#1903 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
Windows Server 2008 R2 and SP1 CNG algorithms #686
Windows 7 and SP1 CNG algorithms #677
Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 |
-HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
+HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 |
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
Windows XP, vendor-affirmed |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 |
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
Windows Server 2008 CNG algorithms #413
Windows Vista Ultimate SP1 CNG algorithms #412 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
Windows Vista Ultimate BitLocker Drive Encryption #386 |
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
Windows Vista CNG algorithms #298 |
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 |
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
Windows Vista BitLocker Drive Encryption #199 |
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
Windows XP, vendor-affirmed |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 |
@@ -4257,8 +4257,8 @@ SHS
-Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -4782,7 +4782,7 @@ SHS
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+ | ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
SHS Val#3790
DSA Val#1135
DRBG Val#1556 |
@@ -4790,15 +4790,15 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3790
DSA Val#1223
DRBG Val#1555
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#3790
ECDSA Val#1133
@@ -4807,29 +4807,29 @@ DRBG
- | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 3649
DSA Val#1188
DRBG Val#1430
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115
Version 7.00.2872 |
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3648
DSA Val#1187
DRBG Val#1429
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#3648
ECDSA Val#1072
@@ -4838,19 +4838,19 @@ DRBG
- | ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
-SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+ | ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
+SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
SHS Val# 3347 ECDSA Val#920 DRBG Val#1222 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
Version 10.0.14393 |
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
-SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
+SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 3347 DSA Val#1098 DRBG Val#1217
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 |
@@ -4858,11 +4858,11 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 3047 DSA Val#1024 DRBG Val#955
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 3047 ECDSA Val#760 DRBG Val#955 |
@@ -4870,11 +4870,11 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 2886 DSA Val#983 DRBG Val#868
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 2886 ECDSA Val#706 DRBG Val#868 |
@@ -4882,11 +4882,11 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#2373 DSA Val#855 DRBG Val#489
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#2373 ECDSA Val#505 DRBG Val#489 |
@@ -4894,20 +4894,20 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS #1903 DSA Val#687 DRBG #258
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS #1903 ECDSA Val#341 DRBG #258 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 |
-KAS (SP 800–56A)
+ | KAS (SP 800–56A)
key agreement
key establishment methodology provides 80 to 256 bits of encryption strength |
Windows 7 and SP1, vendor-affirmed
@@ -4922,8 +4922,8 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -5021,7 +5021,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)
Version 10.0.16299 |
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#128
DRBG Val#1556
@@ -5030,7 +5030,7 @@ MAC
- | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#127
AES Val#4624
@@ -5040,37 +5040,37 @@ MAC
- | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#93 DRBG Val#1222 MAC Val#2661 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
Version 10.0.14393 |
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
Version 10.0.14393 |
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
Version 10.0.10586 |
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
Version 10.0.10240 |
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
DRBG Val#489 MAC Val#1773 |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
Version 6.3.9600 |
-CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
DRBG #258 HMAC Val#1345 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 |
@@ -5087,34 +5087,34 @@ Random Number Generator (RNG)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
-FIPS 186-2 General Purpose
-[ (x-Original); (SHA-1) ] |
+FIPS 186-2 General Purpose
+[ (x-Original); (SHA-1) ] |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 |
-FIPS 186-2
-[ (x-Original); (SHA-1) ] |
+FIPS 186-2
+[ (x-Original); (SHA-1) ] |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66 |
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
Windows Vista RNG implementation #321 |
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447
@@ -5122,8 +5122,8 @@ Random Number Generator (RNG)
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313 |
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ] |
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ] |
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448
Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 |
@@ -5140,8 +5140,8 @@ Random Number Generator (RNG)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
RSA:
@@ -5711,419 +5711,419 @@ Random Number Generator (RNG)
Version 10.0.16299 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
SHA Val#3790 |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524
Version 10.0.15063 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3790 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523
Version 10.0.15063 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
Version 10.0.15063 |
-FIPS186-4:
+FIPS186-4:
186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
Version 10.0.15063 |
|
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3652 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415
Version 7.00.2872 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3651 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414
Version 8.00.6246 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3649
DRBG: Val# 1430 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412
Version 7.00.2872 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3648
DRBG: Val# 1429 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411
Version 8.00.6246 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
SHA Val# 3347 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
Version 10.0.14393 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val# 3347 DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
Version 10.0.14393 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3346 |
soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
Version 10.0.14393 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3347 DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
Version 10.0.14393 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 3347 DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
Version 10.0.14393 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val# 3047 DRBG: Val# 955 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
Version 10.0.10586 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3048 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
Version 10.0.10586 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3047 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
Version 10.0.10586 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 3047 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
Version 10.0.10586 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val# 2886 DRBG: Val# 868 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
Version 10.0.10240 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2871 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
Version 10.0.10240 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2871 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
Version 10.0.10240 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 2886 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
Version 10.0.10240 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val#2373 DRBG: Val# 489 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
Version 6.3.9600 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2373 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
Version 6.3.9600 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2373 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
Version 6.3.9600 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val#2373 |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
Version 6.3.9600 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
SHA #1903
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA #1903 DRBG: #258 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. |
Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. |
Windows Server 2008 R2 and SP1 CNG algorithms #567
Windows 7 and SP1 CNG algorithms #560 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. |
Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. |
Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 |
-FIPS186-2:
+FIPS186-2:
ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 |
|
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. |
Windows Server 2008 CNG algorithms #358
Windows Vista SP1 CNG algorithms #357 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. |
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. |
Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. |
Windows Vista RSA key generation implementation #258 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. |
Windows Vista CNG algorithms #257 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. |
Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. |
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. |
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. |
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. |
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 |
-FIPS186-2:
+ | FIPS186-2:
– PKCS#1 v1.5, signature generation and verification
– Mod sizes: 1024, 1536, 2048, 3072, 4096
– SHS: SHA–1/256/384/512 |
@@ -6143,8 +6143,8 @@ Some of the previously validated components for this validation have been remove
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -6213,170 +6213,170 @@ Some of the previously validated components for this validation have been remove
Version 10.0.16299 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
Version 10.0.15063 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652
Version 7.00.2872 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651
Version 8.00.6246 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649
Version 7.00.2872 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648
Version 8.00.6246 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
Version 10.0.14393 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
Version 10.0.14393 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
Version 10.0.10586 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
Version 10.0.10586 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
Version 6.3.9600 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)
+ | SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)
Implementation does not support zero-length (null) messages. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816 |
-| SHA-1 (BYTE-only) |
+SHA-1 (BYTE-only) |
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753
Windows Vista Symmetric Algorithm Implementation #618 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only) |
Windows Vista BitLocker Drive Encryption #737
Windows Vista Beta 2 BitLocker Drive Encryption #495 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364 |
-| SHA-1 (BYTE-only) |
+SHA-1 (BYTE-only) |
Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385
@@ -6386,16 +6386,16 @@ Version 6.3.9600 |
Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589
Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305 |
-| SHA-1 (BYTE-only) |
+SHA-1 (BYTE-only) |
Windows XP Microsoft Enhanced Cryptographic Provider #83
Crypto Driver for Windows 2000 (fips.sys) #35
Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
@@ -6417,8 +6417,8 @@ Version 6.3.9600 |
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -6499,112 +6499,112 @@ Version 6.3.9600 |
Version 10.0.16299
-| TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
Version 10.0.15063 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
Version 8.00.6246 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
Version 8.00.6246 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-CTR ( int only ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+CTR ( int only ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
Version 7.00.2872 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
Version 8.00.6246 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
Version 10.0.14393 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
Version 10.0.10586 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
Version 10.0.10240 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
Version 6.3.9600 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) ;
-TCFB64( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) ;
+TCFB64( e/d; KO 1,2 ) |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows Vista Symmetric Algorithm Implementation #549 |
-| Triple DES MAC |
+Triple DES MAC |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
@@ -6636,15 +6636,15 @@ Version 6.3.9600 |
|
- Modes / States / Key Sizes
+ Modes / States / Key Sizes
|
- Algorithm Implementation and Certificate #
+ Algorithm Implementation and Certificate #
|
|
- PBKDF (vendor affirmed) |
+ PBKDF (vendor affirmed)
Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
@@ -6654,7 +6654,7 @@ Version 6.3.9600 |
|
- PBKDF (vendor affirmed) |
+ PBKDF (vendor affirmed)
Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
@@ -6672,8 +6672,8 @@ Version 6.3.9600 |
-| Publication / Component Validated / Description |
-Implementation and Certificate # |
+Publication / Component Validated / Description |
+Implementation and Certificate # |
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 7e2cc61fe3..279b1a69a3 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,6 +1,6 @@
---
title: Threat Protection (Windows 10)
-description: Learn how Microsoft Defender ATP helps protect against threats.
+description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index 52771c8630..2584ee9200 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -31,7 +31,7 @@ Many infections start with:
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.
-Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners are not wanted in enterprise environments because they eat up precious computing resources.
+Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources.
@@ -41,12 +41,12 @@ DDE exploits, which have been known to distribute ransomware, are now delivering
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
-The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.
+The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency.
## How to protect against coin miners
-**Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
+**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
-Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
+Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index fef7da884b..6a3a933a3f 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -20,20 +20,20 @@ ms.topic: article
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
-CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective communities, customers, and businesses.
+CME calls for organizations to pool their tools, information, and actions to drive coordinated campaigns against malware. The goal is to drive efficient and long-lasting results to better protect our communities, customers, and businesses.
## Combining our tools, information, and actions
-Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry, online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
+Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. Security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry. Online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
-In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in to these campaigns.
+Microsoft is planning to contribute telemetry and analysis data to these campaigns. It will also provide cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in.
## Coordinated campaigns for lasting results
-Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a campaign and invite others to join it. The members then have the option to accept or decline the invitations they receive.
+Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can start a campaign and invite others to join it. The members can then accept or decline the invitations they receive.
## Join the effort
-Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
+Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). Everyone agrees to use the available information and tools for their intended purpose (that is, the eradication of malware).
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For any questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 74c19eb50f..77a3c4e33d 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -1,7 +1,7 @@
---
title: How Microsoft identifies malware and potentially unwanted applications
ms.reviewer:
-description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it is malware or a potentially unwanted application.
+description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
ms.prod: w10
ms.mktglfcycl: secure
@@ -18,7 +18,7 @@ search.appverid: met150
# How Microsoft identifies malware and potentially unwanted applications
-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us.
+Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us.
You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
@@ -29,9 +29,9 @@ The next sections provide an overview of the classifications we use for applicat
## Unknown – Unrecognized software
-No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program.
+No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program.
-You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to.
+Think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware. There's generally a delay from the time new malware is released until it's identified. Not all uncommon programs are malicious, but the risk in the unknown category is much higher for the typical user. Warnings for unknown software aren't blocks. Users can choose to download and run the application normally if they wish to.
Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software.
@@ -61,11 +61,11 @@ Microsoft classifies most malicious software into one of the following categorie
* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
-* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
+* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
@@ -73,17 +73,17 @@ Microsoft classifies most malicious software into one of the following categorie
### Unwanted software
-Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
+Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these behaviors as "unwanted software".
#### Lack of choice
-You must be notified about what is happening on your device, including what software does and whether it is active.
+You must be notified about what is happening on your device, including what software does and whether it's active.
Software that exhibits lack of choice might:
* Fail to provide prominent notice about the behavior of the software and its purpose and intent.
-* Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
+* Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence.
* Install, reinstall, or remove software without your permission, interaction, or consent.
@@ -93,7 +93,7 @@ Software that exhibits lack of choice might:
* Falsely claim to be software from Microsoft.
-Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
* Display exaggerated claims about your device's health.
@@ -103,7 +103,7 @@ Software must not mislead or coerce you into making decisions about your device.
Software that stores or transmits your activities or data must:
-* Give you notice and get consent to do so. Software should not include an option that configures it to hide activities associated with storing or transmitting your data.
+* Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide activities associated with storing or transmitting your data.
#### Lack of control
@@ -119,7 +119,7 @@ Software that exhibits lack of control might:
* Modify or manipulate webpage content without your consent.
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified.
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified.
#### Installation and removal
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
index a8950a6977..1814307aac 100644
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -1,6 +1,6 @@
---
title: Security intelligence
-description: Safety tips about malware and how you can protect your organization
+description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
keywords: security, malware
ms.prod: w10
ms.mktglfcycl: secure
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 8544b43d61..5ecbd9a101 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -63,6 +63,6 @@ It is also important to keep the following in mind:
Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
-www.microsoft.com/reportascam
+www.microsoft.com/reportascam
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index dd65e257fb..8bf5563e09 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -12,6 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
+ms.date: 08/17/2020
---
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
@@ -29,11 +30,12 @@ You can perform various Microsoft Defender Antivirus functions with the dedicate
The utility has the following commands:
-```DOS
+```console
MpCmdRun.exe [command] [-options]
```
Here's an example:
-```
+
+```console
MpCmdRun.exe -Scan -ScanType 2
```
@@ -53,6 +55,22 @@ MpCmdRun.exe -Scan -ScanType 2
| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
| `-CheckExclusion -path ` | Checks whether a path is excluded |
+| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+
+
+## Common errors in running commands via mpcmdrun.exe
+
+|Error message | Possible reason
+|:----|:----|
+| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again.
**Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
+| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index 8a479654ed..f11dc35650 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -1,20 +1,21 @@
---
title: Enable Block at First Sight to detect malware in seconds
-description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: high
author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: nextgen
+ms.date: 08/26/2020
---
-# Enable block at first sight
+# Turn on block at first sight
**Applies to:**
@@ -29,12 +30,12 @@ You can [specify how long the file should be prevented from running](configure-c
## How it works
-When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
+When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
@@ -42,11 +43,11 @@ If the cloud backend is unable to make a determination, Microsoft Defender Antiv
In many cases, this process can reduce the response time for new malware from hours to seconds.
-## Confirm and validate that block at first sight is enabled
+## Confirm and validate that block at first sight is turned on
Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
-### Confirm block at first sight is enabled with Intune
+### Confirm block at first sight is turned on with Intune
1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
@@ -69,7 +70,7 @@ For more information about configuring Microsoft Defender Antivirus device restr
For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-### Enable block at first sight with Microsoft Endpoint Configuration Manager
+### Turn on block at first sight with Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
@@ -86,13 +87,12 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
-6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
+6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
7. Click **OK** to create the policy.
-
-### Confirm block at first sight is enabled with Group Policy
+### Confirm block at first sight is turned on with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -100,9 +100,9 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
- - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
+ 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
- - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
+ 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
> [!WARNING]
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
@@ -113,24 +113,32 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
-If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
+5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
-### Confirm block at first sight is enabled with Registry editor
+ 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**.
+
+ 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
+
+If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
+
+### Confirm block at first sight is turned on with Registry editor
1. Start Registry Editor.
-2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that
+2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that
1. **SpynetReporting** key is set to **1**
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
-3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that
+3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
1. **DisableIOAVProtection** key is set to **0**
2. **DisableRealtimeMonitoring** key is set to **0**
-
+
+4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
+
### Confirm Block at First Sight is enabled on individual clients
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
@@ -152,14 +160,14 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
-## Disable block at first sight
+## Turn off block at first sight
> [!WARNING]
-> Disabling block at first sight will lower the protection state of the endpoint and your network.
+> Turning off block at first sight will lower the protection state of the endpoint and your network.
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
-### Disable block at first sight with Group Policy
+### Turn off block at first sight with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
@@ -170,9 +178,10 @@ You may choose to disable block at first sight if you want to retain the prerequ
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
> [!NOTE]
- > Disabling block at first sight will not disable or alter the prerequisite group policies.
+ > Disabling block at first sight does not disable or alter the prerequisite group policies.
-## Related topics
+## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index 945265b8a3..db3e3a162e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Microsoft Defender Antivirus notifications
-description: Configure and customize Microsoft Defender Antivirus notifications.
+description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 8f16436956..200a5cd47a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.date: 08/26/2020
---
# Microsoft Defender Antivirus compatibility
@@ -26,7 +27,7 @@ manager: dansimp
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact.
## Antivirus and Microsoft Defender ATP
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index a5087f74b0..a4a959b83d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -1,6 +1,6 @@
---
title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
-description: Enable and configure Microsoft Defender AV on Windows Server 2016 and 2019
+description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019.
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 58572c3d52..97fb2041b9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Microsoft Defender Antivirus with Group Policy
-description: Configure Microsoft Defender Antivirus settings with Group Policy
+description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender ATP.
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index 49f9134d53..5247002bbc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Microsoft Defender Antivirus with WMI
-description: Use WMI scripts to configure Microsoft Defender AV.
+description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender ATP.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 1dfee7b591..4dcd95abef 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 08/12/2020
+ms.date: 08/17/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -43,7 +43,7 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
-To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
+To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
### Are extensions supported in the Application Guard?
@@ -53,6 +53,10 @@ Extension installs in the container are supported from Microsoft Edge version 81
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
+
+Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
+
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@@ -83,29 +87,29 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
-Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.
+Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-### Why do the Network Isolation policies in Group Policy and CSP look different?
+### Why do the network isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
@@ -139,7 +143,7 @@ In the Microsoft Defender Firewall user interface go through the following steps
### Why can I not launch Application Guard when Exploit Guard is enabled?
-There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
+There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
### How can I have ICS in enabled state yet still use Application Guard?
@@ -148,7 +152,7 @@ This is a two step process.
Step 1:
-Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from Enabled to Disabled.
+Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
Step 2:
@@ -159,3 +163,12 @@ Step 2:
3. Disable IPNAT (Optional):
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
4. Restart the device.
+
+### Why doesn't Application Guard work, even though it's enabled through Group Policy?
+
+Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
+To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
+
+For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
+
+For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index 07fcff8c6f..85b5514ca3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -1,6 +1,6 @@
---
title: Add or Remove Machine Tags API
-description: Use this API to Add or Remove machine tags.
+description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, tags, machine tags
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index 5cd3f15a09..e6feab4594 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -1,7 +1,7 @@
---
title: Overview of advanced hunting in Microsoft Defender ATP
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -41,12 +41,16 @@ You can also go through each of the following steps to ramp up your advanced hun
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
+| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
-## Get help as you write queries
-Take advantage of the following functionality to write queries faster:
-- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense.
-- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+## Data freshness and update frequency
+Advanced hunting data can be categorized into two distinct types, each consolidated differently:
+
+- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
+- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+
+## Time zone
+All time information in advanced hunting is currently in the UTC time zone.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index 947c3638f3..1b1ce276f6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -144,11 +144,28 @@ Data in advanced hunting tables are generally classified into the following data
| `int` | 32-bit numeric value |
| `long` | 64-bit numeric value |
+## Get help as you write queries
+Take advantage of the following functionality to write queries faster:
+
+- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
+- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
+
+## Work with multiple queries in the editor
+The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries:
+
+- Separate each query with an empty line.
+- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
+
+
+_Query editor with multiple queries_
+
+
## Use sample queries
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
-
+
> [!NOTE]
> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
index 34716e8296..f036dd4418 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@@ -24,8 +24,6 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
-
While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
- View results as a table or chart
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 59a850ea64..0e2f6811ad 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -1,6 +1,6 @@
---
title: Advanced hunting schema reference
-description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
+description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -29,7 +29,20 @@ ms.date: 01/14/2020
The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
-## Schema tables
+## Get schema information in the security center
+While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
+
+- **Tables description**—type of data contained in the table and the source of that data.
+- **Columns**—all the columns in the table.
+- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
+- **Sample query**—example queries that feature how the table can be utilized.
+
+### Access the schema reference
+To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
+
+
+
+## Learn the schema tables
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 820026e626..34ba31d9cb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -1,6 +1,6 @@
---
title: Get alerts API
-description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts.
+description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index de60666730..320472ce86 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -289,7 +289,7 @@ This rule helps prevent credential stealing, by locking down Local Security Auth
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index fa431dbc93..bd94cf5240 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -78,6 +78,15 @@ You can configure the following levels of automation:
|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
|**No automated response** | Devices do not get any automated investigations run on them.
*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+
+> [!IMPORTANT]
+> A few points of clarification regarding automation levels and default settings:
+> - If your tenant already has device groups defined, the automation level settings are not changed.
+> - If your tenant was onboarded to Microsoft Defender ATP before August 16, 2020, your organization's first device group is set to **Semi - require approval for any remediation** by default.
+> - If your tenant is onboarded on or after August 16, 2020, when your organization's first device group is set to **Full - remediate threats automatically**.
+> - To change an automation level, edit your [device groups](configure-automated-investigations-remediation.md#set-up-device-groups).
+
+
### A few points to keep in mind
- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 04569f6785..4fc887a605 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -90,7 +90,7 @@ While the attack was detected and stopped, alerts, such as an "initial access al
This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
-### Example 2: NTML relay - Juicy Potato malware variant
+### Example 2: NTLM relay - Juicy Potato malware variant
As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 2dc93956ba..ef4053bac6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -103,8 +103,8 @@ The following steps assume that you have completed all the required steps in [Be
For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file. |
Events URL |
- Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
+ Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
| Authentication Type |
OAuth 2 |
@@ -113,7 +113,7 @@ The following steps assume that you have completed all the required steps in [Be
Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded. |
| Refresh Token |
- You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
+ | You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 32e7e448f6..771c2b866b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -63,7 +63,7 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Click **Download package** and save the .zip file.
-2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+2. Copy all the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 18707f606c..a25c911a4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -150,7 +150,7 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
- \+\
-You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519).
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index d48749b987..74f0ab9e28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -1,6 +1,6 @@
---
title: Prevent ransomware and threats from encrypting and changing files
-description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
+description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
audience: ITPro
-ms.date: 08/05/2019
+ms.date: 08/25/2020
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@@ -23,21 +23,25 @@ ms.custom: asr
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+## What is controlled folder access?
-Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
+Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices).
-Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
+Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+
+## How does controlled folder access work?
+
+Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
+
+Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-
-With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
@@ -45,13 +49,13 @@ Controlled folder access is supported on Windows 10, version 1709 and later and
Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
-## Review controlled folder access events in the Microsoft Defender ATP Security Center
+## Review controlled folder access events in the Microsoft Defender Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
-Here is an example query
+Example query:
```PowerShell
DeviceEvents
@@ -66,24 +70,42 @@ You can review the Windows event log to see events that are created when control
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-3. On the left panel, under **Actions**, click **Import custom view...**.
+3. On the left panel, under **Actions**, select **Import custom view...**.
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
-This will create a custom view that filters to only show the following events related to controlled folder access:
+After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table:
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1124 | Audited controlled folder access event
-1123 | Blocked controlled folder access event
+|Event ID | Description |
+|---|---|
+|5007 | Event when settings are changed |
+|1124 | Audited controlled folder access event |
+|1123 | Blocked controlled folder access event |
-## In this section
+## View or change the list of protected folders
-Topic | Description
--|-
-[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.
+### Windows 10 security app
+
+1. On your Windows 10 device, open the Windows Security app.
+
+2. Select **Virus & threat protection**.
+
+3. Under **Ransomware protection**, select **Manage ransomware protection**.
+
+4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
+
+5. Do one of the following steps:
+
+ - To add a folder, select **+ Add a protected folder**.
+
+ - To remove a folder, select it, and then select **Remove**.
+
+## See also
+
+- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
+
+- [Enable controlled folder access](enable-controlled-folders.md). Use Group Policy, PowerShell, or mobile device management CSPs to enable and manage controlled folder access in your network
+
+- [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index d08c4e2bba..fc2674e848 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -1,6 +1,6 @@
---
title: Create alert from event API
-description: Creates an alert using event details
+description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
index 1c03a39e93..068f605c89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
@@ -1,6 +1,6 @@
---
title: Delete Indicator API.
-description: Deletes Indicator entity by ID.
+description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, public api, supported apis, delete, ti indicator, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 12436534f1..29b20bcf7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
-ms.collection:
+ms.date: 08/21/2020
---
# Endpoint detection and response (EDR) in block mode
@@ -26,10 +26,14 @@ ms.collection:
## What is EDR in block mode?
-When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
+When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Microsoft Defender ATP blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
+
+EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
+
+:::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode":::
> [!NOTE]
-> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
## What happens when something is detected?
@@ -37,7 +41,7 @@ When EDR in block mode is turned on, and a malicious artifact is detected, block
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
-:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something":::
+:::image type="content" source="images/edr-in-block-mode-detection.png" alt-text="EDR in block mode detected something":::
## Enable EDR in block mode
@@ -83,7 +87,9 @@ Because Microsoft Defender Antivirus detects and remediates malicious items, it'
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
-## Related articles
+## See also
+
+[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
[Behavioral blocking and containment](behavioral-blocking-containment.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index a2eb19043d..a9f51e70aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -143,7 +143,7 @@ Example:
## PowerShell
> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+> If you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. To allow users to define the value using PowerShell, use the "User Defined" option for the rule in the management platform.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
@@ -198,4 +198,3 @@ Example:
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
- [Attack surface reduction FAQ](attack-surface-reduction.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 7f1b463406..8c811f809d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -27,7 +27,7 @@ You can enable controlled folder access by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index e737eb44d7..bb2325ee28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -1,6 +1,6 @@
---
title: Turning on network protection
-description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager
+description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -28,7 +28,7 @@ Check if network protection has been enabled on a local device by using Registry
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
-1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager**
+1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Policy Manager**
1. Select **EnableNetworkProtection** to see the current state of network protection on the device
* 0, or **Off**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 7f19406d2e..a856668804 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -108,15 +108,15 @@ See Onboard Windows 10 devices.
| 9 |
Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable. |
-During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues. |
+During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 devices. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
index a93b7da7cd..d373f292ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -20,19 +20,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
-Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
+Reviewing events is handy when you're evaluating the features. You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.
-This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
+This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
-You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
-
-The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
+Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way is to import a custom view as an XML file. You can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the feature.
@@ -44,33 +42,33 @@ You can also manually navigate to the event area that corresponds to the feature
- Attack surface reduction events custom view: *asr-events.xml*
- Network/ protection events custom view: *np-events.xml*
-1. Type **event viewer** in the Start menu and open **Event Viewer**.
+2. Type **event viewer** in the Start menu and open **Event Viewer**.
-1. Click **Action** > **Import Custom View...**
+3. Select **Action** > **Import Custom View...**
-1. Navigate to where you extracted XML file for the custom view you want and select it.
+4. Navigate to where you extracted XML file for the custom view you want and select it.
-1. Click **Open**.
+5. Select **Open**.
-1. This will create a custom view that filters to only show the events related to that feature.
+6. It will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-1. On the left panel, under **Actions**, click **Create Custom View...**
+2. On the left panel, under **Actions**, select **Create Custom View...**
-1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
-1. Paste the XML code for the feature you want to filter events from into the XML section.
+4. Paste the XML code for the feature you want to filter events from into the XML section.
-1. Click **OK**. Specify a name for your filter.
+5. Select **OK**. Specify a name for your filter.
-1. This will create a custom view that filters to only show the events related to that feature.
+6. It will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@@ -127,13 +125,13 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
-All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+All attack surface reduction events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
-1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result.
+1. Open the **Start** menu and type **event viewer**, and then select the **Event Viewer** result.
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
-3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
+3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index 354df454ab..49d1fcd691 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -39,7 +39,7 @@ You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how ex
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
> [!IMPORTANT]
-> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10.
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 37e873ced5..c820d3d69e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -1,7 +1,7 @@
---
title: OData queries with Microsoft Defender ATP
ms.reviewer:
-description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP
+description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP.
keywords: apis, supported apis, odata, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index e4ecad3ffa..00887c1ccb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -1,6 +1,6 @@
---
title: Get alert information by ID API
-description: Retrieve a Microsoft Defender ATP alert by its ID.
+description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index 982e2a2585..e5d037ad94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -1,6 +1,6 @@
---
title: Get alert related user information
-description: Retrieves the user associated to a specific alert.
+description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index f13f6270fd..16e865448e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -1,6 +1,6 @@
---
title: List alerts API
-description: Retrieve a collection of recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts.
+description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 5f0bb3386d..94487dd4ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -1,108 +1,108 @@
----
-title: List all recommendations
-description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List all recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all security recommendations affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-microsoft-_-windows_10",
- "productName": "windows_10",
- "recommendationName": "Update Windows 10",
- "weaknesses": 397,
- "vendor": "microsoft",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": true,
- "activeAlert": false,
- "associatedThreats": [
- "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
- "40c189d5-0330-4654-a816-e48c2b7f9c4b",
- "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
- "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
- "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
- ],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 7.674418604651163,
- "totalMachineCount": 37,
- "exposedMachinesCount": 7,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Windows 10"
- }
- ...
- ]
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
-
+---
+title: List all recommendations
+description: Retrieves a list of all security recommendations affecting the organization.
+keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List all recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all security recommendations affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-microsoft-_-windows_10",
+ "productName": "windows_10",
+ "recommendationName": "Update Windows 10",
+ "weaknesses": 397,
+ "vendor": "microsoft",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": true,
+ "activeAlert": false,
+ "associatedThreats": [
+ "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
+ "40c189d5-0330-4654-a816-e48c2b7f9c4b",
+ "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
+ "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
+ "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+ ],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 7.674418604651163,
+ "totalMachineCount": 37,
+ "exposedMachinesCount": 7,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Windows 10"
+ }
+ ...
+ ]
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 4114015c39..8b61f18cfc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -1,96 +1,96 @@
----
-title: Get all vulnerabilities
-description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all the vulnerabilities affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
- "value": [
- {
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get all vulnerabilities
+description: Retrieves a list of all the vulnerabilities affecting the organization
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all the vulnerabilities affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
+ "value": [
+ {
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
index 4207a4cc3b..1bb48a3550 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
@@ -1,6 +1,6 @@
---
title: Get CVE-KB map API
-description: Retrieves a map of CVE's to KB's.
+description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, cve, kb
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index 6eb1d7d80c..b33b579f20 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -1,83 +1,83 @@
----
-title: Get Machine Secure score
-description: Retrieves the organizational device secure score.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get Machine Secure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational device secure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-```
-GET /api/configurationScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the with device secure score data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/configurationScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
- "time": "2019-12-03T09:15:58.1665846Z",
- "score": 340
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+---
+title: Get device secure score
+description: Retrieves the organizational device secure score.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get device secure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/configurationScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the device secure score data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/configurationScore
+```
+
+### Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
+ "time": "2019-12-03T09:15:58.1665846Z",
+ "score": 340
+}
+```
+
+## Related topics
+
+- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index d93e999a34..333b21f72f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -1,93 +1,94 @@
----
-title: Get discovered vulnerabilities
-description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get discovered vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of discovered vulnerabilities related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the discovered vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-1348",
- "name": "CVE-2019-1348",
- "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 1,
- "publishedOn": "2019-12-13T00:00:00Z",
- "updatedOn": "2019-12-13T00:00:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get discovered vulnerabilities
+description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get discovered vulnerabilities
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Retrieves a collection of discovered vulnerabilities related to a given device ID.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+
+```
+GET /api/machines/{machineId}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK with the discovered vulnerability information in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
+```
+
+### Response
+
+Here is an example of the response.
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-1348",
+ "name": "CVE-2019-1348",
+ "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 1,
+ "publishedOn": "2019-12-13T00:00:00Z",
+ "updatedOn": "2019-12-13T00:00:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index 0aa06444da..d3a4e5bc56 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get domain related alerts API
-description: Retrieves a collection of alerts related to a given domain address.
+description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, domain, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
index 6b4dee50f5..da65275c62 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get domain related machines API
-description: Retrieves a collection of devices related to a given domain address.
+description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, domain, related, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index 4cab7c52be..2da9aa6675 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -1,6 +1,6 @@
---
title: Get domain statistics API
-description: Retrieves the prevalence for the given domain.
+description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, domain, domain related devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index 794272d101..c31cd33d28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -1,88 +1,87 @@
----
-title: Get exposure score
-description: Retrieves the organizational exposure score.
-keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get exposure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational exposure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-
-## HTTP request
-```
-GET /api/exposureScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the exposure data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
- "time": "2019-12-03T07:23:53.280499Z",
- "score": 33.491554051195706
-}
-
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
-
-
+---
+title: Get exposure score
+description: Retrieves the organizational exposure score.
+keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get exposure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational exposure score.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/exposureScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the exposure data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore
+```
+
+### Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
+ "time": "2019-12-03T07:23:53.280499Z",
+ "score": 33.491554051195706
+}
+
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index db2c9f018f..12b129b43f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -1,6 +1,6 @@
---
title: Get file information API
-description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index 5ea61a7554..446e50982d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get file related alerts API
-description: Retrieves a collection of alerts related to a given file hash.
+description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index 480f952df9..029c7fc1d5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get file related machines API
-description: Retrieves a collection of devices related to a given file hash.
+description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index b6abc23c5f..6f35b59012 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -1,6 +1,6 @@
---
title: Get file statistics API
-description: Retrieves the prevalence for the given file.
+description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 2521e0a16b..4ae4475d50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -1,89 +1,89 @@
----
-title: Get installed software
-description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get installed software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of installed software related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the installed software information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
-"value": [
- {
-"id": "microsoft-_-internet_explorer",
-"name": "internet_explorer",
-"vendor": "microsoft",
-"weaknesses": 67,
-"publicExploit": true,
-"activeAlert": false,
-"exposedMachines": 42115,
-"impactScore": 46.2037163
- }
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get installed software
+description: Retrieves a collection of installed software related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get installed software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of installed software related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the installed software information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
+"value": [
+ {
+"id": "microsoft-_-internet_explorer",
+"name": "internet_explorer",
+"vendor": "microsoft",
+"weaknesses": 67,
+"publicExploit": true,
+"activeAlert": false,
+"exposedMachines": 42115,
+"impactScore": 46.2037163
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 91b44caf50..832b6cd185 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -1,6 +1,6 @@
---
title: Get machine by ID API
-description: Retrieves a device entity by ID.
+description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index 10f886e0d1..05b0cbef9d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+author: levinec
+ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -27,6 +27,7 @@ ms.topic: article
Retrieves a collection of alerts related to a given domain address.
## Permissions
+
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
@@ -35,6 +36,7 @@ Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
+
```
GET /api/exposureScore/ByMachineGroups
```
@@ -46,15 +48,16 @@ GET /api/exposureScore/ByMachineGroups
| Authorization | String | Bearer {token}.**Required**.
## Request body
+
Empty
## Response
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
+If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
@@ -62,7 +65,7 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
```
-**Response**
+### Response
Here is an example of the response.
@@ -87,5 +90,6 @@ Here is an example of the response.
```
## Related topics
+
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index fc56069b04..9856c6c603 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -1,6 +1,6 @@
---
title: Get machine log on users API
-description: Retrieve a collection of logged on users on a specific device using Microsoft Defender ATP APIs.
+description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index e8fb105671..2aa5a05832 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get machine related alerts API
-description: Retrieves a collection of alerts related to a given device ID.
+description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index dbcaf5b6fb..abd2981676 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -1,6 +1,6 @@
---
title: Get MachineAction object API
-description: Use this API to create calls related to get machineaction object
+description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 08f5fff7d0..c8a2ee671c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -1,6 +1,6 @@
---
title: List machineActions API
-description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
+description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
index 8dca334083..b3de168061 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
@@ -1,6 +1,6 @@
---
title: Get RBAC machine groups collection API
-description: Retrieves a collection of RBAC device groups.
+description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, RBAC, group
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index ebf471edee..e066fab80a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -1,93 +1,93 @@
----
-title: List devices by software
-description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of device references that has this software installed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/machineReferences
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
- "computerDnsName": "dave_desktop",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
- "computerDnsName": "jane_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List devices by software
+description: Retrieve a list of devices that has this software installed.
+keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of device references that has this software installed.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/machineReferences
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK and a list of devices with the software installed in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
+ "computerDnsName": "dave_desktop",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
+ "computerDnsName": "jane_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index fddc82d5dd..71597be89f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -1,92 +1,92 @@
----
-title: List devices by vulnerability
-description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by vulnerability
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices affected by a vulnerability.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "235a2e6278c63fcf85bab9c370396972c58843de",
- "computerDnsName": "h1mkn_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "afb3f807d1a185ac66668f493af028385bfca184",
- "computerDnsName": "chat_Desk ",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
- }
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: List devices by vulnerability
+description: Retrieves a list of devices affected by a vulnerability.
+keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by vulnerability
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices affected by a vulnerability.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "235a2e6278c63fcf85bab9c370396972c58843de",
+ "computerDnsName": "h1mkn_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "afb3f807d1a185ac66668f493af028385bfca184",
+ "computerDnsName": "chat_Desk ",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+ }
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 93303b75fa..5c24fe2ff9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -1,6 +1,6 @@
---
title: List machines API
-description: Retrieves a collection of recently seen devices.
+description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
keywords: apis, graph api, supported apis, get, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 5fed8ccf11..9c22b88199 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -1,6 +1,6 @@
---
title: Get machines security states collection API
-description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
+description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 3b41ca66ef..1fa1040fdc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -1,6 +1,6 @@
---
title: Get missing KBs by device ID
-description: Retrieves missing KBs by device Id
+description: Retrieves missing security updates by device ID
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -22,7 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by device Id
+Retrieves missing KBs (security updates) by device ID
## HTTP request
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index e91d137857..a14e6588c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -1,6 +1,6 @@
---
title: Get missing KBs by software ID
-description: Retrieves missing KBs by software ID
+description: Retrieves missing security updates by software ID
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -22,7 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by software ID
+Retrieves missing KBs (security updates) by software ID
## Permissions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index 9254f80562..5b5ce91ff1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -1,96 +1,96 @@
----
-title: Get recommendation by Id
-description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
- "id": "va-_-google-_-chrome",
- "productName": "chrome",
- "recommendationName": "Update Chrome",
- "weaknesses": 38,
- "vendor": "google",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 3.9441860465116285,
- "totalMachineCount": 6,
- "exposedMachinesCount": 5,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Chrome"
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by Id
+description: Retrieves a security recommendation by its ID.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
+ "id": "va-_-google-_-chrome",
+ "productName": "chrome",
+ "recommendationName": "Update Chrome",
+ "weaknesses": 38,
+ "vendor": "google",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 3.9441860465116285,
+ "totalMachineCount": 6,
+ "exposedMachinesCount": 5,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Chrome"
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 9c2965fd9c..fd557b7129 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -1,85 +1,85 @@
----
-title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
- "computerDnsName": "niw_pc",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List devices by recommendation
+description: Retrieves a list of devices associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
+ "computerDnsName": "niw_pc",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index d4e5a895ef..c4654ccd11 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -1,84 +1,84 @@
----
-title: Get recommendation by software
-description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation related to a specific software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
- "id": "google-_-chrome",
- "name": "chrome",
- "vendor": "google",
- "weaknesses": 38,
- "publicExploit": false,
- "activeAlert": false,
- "exposedMachines": 5,
- "impactScore": 3.94418621
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by software
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index e7e5725b8a..a7218907c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -1,94 +1,94 @@
----
-title: List vulnerabilities by recommendation
-description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of vulnerabilities associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-13748",
- "name": "CVE-2019-13748",
- "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
- "severity": "Medium",
- "cvssV3": 6.5,
- "exposedMachines": 0,
- "publishedOn": "2019-12-10T00:00:00Z",
- "updatedOn": "2019-12-16T12:15:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List vulnerabilities by recommendation
+description: Retrieves a list of vulnerabilities associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of vulnerabilities associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-13748",
+ "name": "CVE-2019-13748",
+ "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
+ "severity": "Medium",
+ "cvssV3": 6.5,
+ "exposedMachines": 0,
+ "publishedOn": "2019-12-10T00:00:00Z",
+ "updatedOn": "2019-12-16T12:15:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 67e29e0532..e071070fba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -1,101 +1,101 @@
----
-title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get security recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of security recommendations related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-git-scm-_-git",
- "productName": "git",
- "recommendationName": "Update Git to version 2.24.1.2",
- "weaknesses": 3,
- "vendor": "git-scm",
- "recommendedVersion": "2.24.1.2",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 0,
- "totalMachineCount": 0,
- "exposedMachinesCount": 1,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Git"
- },
-…
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get security recommendations
+description: Retrieves a collection of security recommendations related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get security recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of security recommendations related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-git-scm-_-git",
+ "productName": "git",
+ "recommendationName": "Update Git to version 2.24.1.2",
+ "weaknesses": 3,
+ "vendor": "git-scm",
+ "recommendedVersion": "2.24.1.2",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 0,
+ "totalMachineCount": 0,
+ "exposedMachinesCount": 1,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Git"
+ },
+…
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index 2276c784bf..a596b5e16e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,86 +1,86 @@
----
-title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get software by Id
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves software details by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the specified software data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get software by Id
+description: Retrieves a list of exposure scores by device group.
+keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get software by Id
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves software details by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the specified software data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index 159f48e08e..8263dd34d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -1,91 +1,91 @@
----
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software version distribution
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of your organization's software version distribution.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/distributions
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
- "value": [
- {
- "version": "11.0.17134.1039",
- "installations": 1,
- "vulnerabilities": 11
- },
- {
- "version": "11.0.18363.535",
- "installations": 750,
- "vulnerabilities": 0
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
+keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software version distribution
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of your organization's software version distribution.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/distributions
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a list of software distributions data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
+ "value": [
+ {
+ "version": "11.0.17134.1039",
+ "installations": 1,
+ "vulnerabilities": 11
+ },
+ {
+ "version": "11.0.18363.535",
+ "installations": 750,
+ "vulnerabilities": 0
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 883c240d11..5e97985a54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -1,90 +1,90 @@
----
-title: List software
-description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software inventory API
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves the organization software inventory.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software inventory in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
- "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software
+description: Retrieves a list of software inventory
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software inventory API
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves the organization software inventory.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software inventory in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
+ "value": [
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 7ac3ed480b..88927d6912 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -1,6 +1,6 @@
---
title: List Indicators API
-description: Use this API to create calls related to get Indicators collection
+description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
keywords: apis, public api, supported apis, Indicators collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index 026cdb7ca3..a5efe702fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -1,6 +1,6 @@
---
title: Get user information API
-description: Retrieve a User entity by key such as user name or domain.
+description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index e55f0b9188..7116b8080d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get user related machines API
-description: Retrieves a collection of devices related to a given user ID.
+description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index 42147bc353..056f883007 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -1,93 +1,93 @@
----
-title: List vulnerabilities by software
-description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of vulnerabilities in the installed software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/vulnerabilities
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
+---
+title: List vulnerabilities by software
+description: Retrieve a list of vulnerabilities in the installed software.
+keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of vulnerabilities in the installed software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/vulnerabilities
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index a7ec42d80f..4dd3118f79 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -1,88 +1,88 @@
----
-title: Get vulnerability by Id
-description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get vulnerability by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves vulnerability information by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get vulnerability by Id
+description: Retrieves vulnerability information by its ID.
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get vulnerability by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves vulnerability information by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ah-multi-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/ah-multi-query.png
new file mode 100644
index 0000000000..ccf1f87727
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ah-multi-query.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ah-reference.png b/windows/security/threat-protection/microsoft-defender-atp/images/ah-reference.png
new file mode 100644
index 0000000000..1139fe232a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ah-reference.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png
new file mode 100644
index 0000000000..2a5104b582
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png
new file mode 100644
index 0000000000..42273cd0d4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png
new file mode 100644
index 0000000000..e82a6f0dce
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png
new file mode 100644
index 0000000000..fe52985647
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png
new file mode 100644
index 0000000000..d2f1c35a83
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png
new file mode 100644
index 0000000000..1b8a3df4ca
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png
new file mode 100644
index 0000000000..8106b9e665
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png
new file mode 100644
index 0000000000..4aea3eea5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png
new file mode 100644
index 0000000000..e246a0d3da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png
deleted file mode 100644
index 42a386d71f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png
deleted file mode 100644
index 374a1e58b2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index d6cbe89a02..322278414a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -1,7 +1,7 @@
---
title: Import, export, and deploy exploit protection configurations
-keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
-description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
+description: Use Group Policy to deploy mitigations configuration.
+keywords: Exploit protection, mitigations, import, export, configure, convert, conversion, deploy, install
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
@@ -22,35 +21,27 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
-Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
+You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network. Then, they all have the same set of mitigation settings.
-You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network so they all have the same set of mitigation settings.
-
-You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
-
-This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-
-The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.
## Create and export a configuration file
-Before you export a configuration file, you need to ensure you have the correct settings.
+Before you export a configuration file, you need to ensure you have the correct settings. First, configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for more information about configuring mitigations.
-You should first configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
-
-When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
+When you've configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
### Use the Windows Security app to export a configuration file
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar. Or, search the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**:
-3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
+3. At the bottom of the **Exploit protection** section, select **Export settings**. Choose the location and name of the XML file where you want the configuration to be saved.
> [!IMPORTANT]
> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
@@ -62,7 +53,7 @@ When you have configured exploit protection to your desired state (including bot
### Use PowerShell to export a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@@ -86,7 +77,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@@ -101,37 +92,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
> [!IMPORTANT]
>
-> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
-## Convert an EMET configuration file to an exploit protection configuration file
-
-You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
-
-You can only do this conversion in PowerShell.
-
-> [!WARNING]
->
-> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
->
-> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
->
-> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
-2. Enter the following cmdlet:
-
- ```PowerShell
- ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
- ```
-
- Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
-
-> [!IMPORTANT]
->
-> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
->
-> 1. Open the PowerShell-converted XML file in a text editor.
-> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
+> Ensure you import a configuration file that is created specifically for exploit protection.
## Manage or deploy a configuration
@@ -142,29 +103,28 @@ You can use Group Policy to deploy the configuration you've created to multiple
### Use Group Policy to distribute the configuration
-1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
-4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click **Use a common set of Exploit protection settings** and set the option to **Enabled**.
-5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
+5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
* C:\MitigationSettings\Config.XML
* \\\Server\Share\Config.xml
* https://localhost:8080/Config.xml
* C:\ExploitConfigfile.xml
-6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
+6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
## Related topics
* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 4bace3c6df..424ed0cb61 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -1,6 +1,6 @@
---
title: Investigate connection events that occur behind forward proxies
-description: Investigate connection events that occur behind forward proxies
+description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index ca9dbdfdd3..a74c4a0187 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -1,6 +1,6 @@
---
title: Isolate machine API
-description: Use this API to create calls related isolating a device.
+description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, isolate device
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -84,13 +84,13 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```console
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
-
+```
- To unisolate a device, see [Release device from isolation](unisolate-machine.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
index e69619e1d8..27d42d2a2c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -67,6 +67,9 @@ Run the following command to see the available switches for managing exclusions:
mdatp exclusion
```
+> [!TIP]
+> When configuring exclusions with wildcards, enclose the parameter in double-quotes to prevent globbing.
+
Examples:
- Add an exclusion for a file extension:
@@ -96,6 +99,15 @@ Examples:
Folder exclusion configured successfully
```
+- Add an exclusion for a folder with a wildcard in it:
+
+ ```bash
+ mdatp exclusion folder add --path "/var/*/"
+ ```
+ ```Output
+ Folder exclusion configured successfully
+ ```
+
- Add an exclusion for a process:
```bash
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index 5065d7b5be..addb17136c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -117,8 +117,8 @@ The following table lists commands for some of the most common scenarios. Run `m
|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
+|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
+|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
## Microsoft Defender ATP portal information
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 49399fbe9f..ba716299fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -1,6 +1,6 @@
---
title: Live response command examples
-description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used
+description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used.
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 2a2e8465f2..56f59ba081 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -23,9 +23,9 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — in real time.
+Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time.
-Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
@@ -98,7 +98,7 @@ The dashboard also gives you access to:
## Initiate a live response session on a device
-1. Log in to Microsoft Defender Security Center.
+1. Sign in to Microsoft Defender Security Center.
2. Navigate to the devices list page and select a device to investigate. The devices page opens.
@@ -112,6 +112,10 @@ The dashboard also gives you access to:
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
+
+>[!NOTE]
+>Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
+
### Basic commands
The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
@@ -137,7 +141,7 @@ drivers | Shows all drivers installed on the device. |
|`trace` | Sets the terminal's logging mode to debug. |
### Advanced commands
-The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see [Create and manage roles](user-roles.md).
+The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
| Command | Description |
|---|---|
@@ -201,7 +205,7 @@ You can have a collection of PowerShell scripts that can run on devices that you
4. Specify if you'd like to overwrite a file with the same name.
-5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+5. If you'd like to be, know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
6. Click **Confirm**.
@@ -220,7 +224,7 @@ Some commands have prerequisite commands to run. If you don't run the prerequisi
You can use the auto flag to automatically run prerequisite commands, for example:
-```
+```console
getfile c:\Users\user\Desktop\work.txt -auto
```
@@ -269,7 +273,7 @@ Live response supports output piping to CLI and file. CLI is the default output
Example:
-```
+```console
processes > output.txt
```
@@ -285,7 +289,7 @@ Each command is tracked with full details such as:
## Limitations
- Live response sessions are limited to 10 live response sessions at a time.
-- Large scale command execution is not supported.
+- Large-scale command execution is not supported.
- A user can only initiate one session at a time.
- A device can only be in one session at a time.
- The following file size limits apply:
@@ -295,11 +299,3 @@ Each command is tracked with full details such as:
## Related article
- [Live response command examples](live-response-command-examples.md)
-
-
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index da1f94c851..efdb013295 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -1,6 +1,6 @@
---
title: JAMF-based deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac, using JAMF.
+description: Learn about all the steps needed to deploy Microsoft Defender Advanced Threat Protection for Mac through JAMF.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index 7367f5ccb6..c82f6bfdb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -30,36 +30,31 @@ If you can reproduce a problem, increase the logging level, run the system for s
1. Increase logging level:
```bash
- mdatp --log-level verbose
+ mdatp log level set --level verbose
```
```Output
- Creating connection to daemon
- Connection established
- Operation succeeded
+ Log level configured successfully
```
2. Reproduce the problem
-3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
- sudo mdatp --diagnostic --create
+ sudo mdatp diagnostic create
```
```Output
- Creating connection to daemon
- Connection established
+ Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip"
```
4. Restore logging level:
```bash
- mdatp --log-level info
+ mdatp log level set --level info
```
```Output
- Creating connection to daemon
- Connection established
- Operation succeeded
+ Log level configured successfully
```
## Logging installation issues
@@ -85,30 +80,32 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Note that wh
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
-|Group |Scenario |Command |
-|-------------|-------------------------------------------|-----------------------------------------------------------------------|
-|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
-|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
-|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
-|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
-|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
-|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
-|Configuration|List all allowed threat names |`mdatp threat allowed list` |
-|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
-|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
-|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
-|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
-|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
-|Health |Check the product's health |`mdatp --health` |
-|Protection |Scan a path |`mdatp --scan --path [path]` |
-|Protection |Do a quick scan |`mdatp --scan --quick` |
-|Protection |Do a full scan |`mdatp --scan --full` |
-|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
-|Protection |Request a security intelligence update |`mdatp --definition-update` |
-|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 |
-|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
-|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` |
+|Group |Scenario |Command |
+|-------------|-------------------------------------------|----------------------------------------------------------------------------------|
+|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
+|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
+|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
+|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |
+|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration|List all allowed threat names |`mdatp threat allowed list` |
+|Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action block` |
+|Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action off` |
+|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` |
+|Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` |
+|Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` |
+|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
+|Health |Check the product's health |`mdatp health` |
+|Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` |
+|Protection |Scan a path |`mdatp scan custom --path [path]` |
+|Protection |Do a quick scan |`mdatp scan quick` |
+|Protection |Do a full scan |`mdatp scan full` |
+|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
+|Protection |Request a security intelligence update |`mdatp definitions update` |
+|EDR |Turn on/off EDR preview for Mac |`mdatp edr early-preview [enabled/disabled]` |
+|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp edr tag set --name GROUP --value [name]` |
+|EDR |Remove group tag from device |`mdatp edr tag remove --tag-name [name]` |
+|EDR |Add Group Id |`mdatp edr group-ids --group-id [group]` |
### How to enable autocompletion
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
new file mode 100644
index 0000000000..d480a11fb7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -0,0 +1,147 @@
+---
+title: Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender ATP for Mac. This functionality is currently in public preview.
+keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ROBOTS: noindex,nofollow
+---
+
+# Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
+
+This functionality is currently in public preview. This article contains instructions for enabling this functionality on your device. You can choose to try out this feature locally on your own device or configure it remotely through a management tool.
+
+These steps assume you already have Microsoft Defender ATP running on your device. For more information, see [this page](microsoft-defender-atp-mac.md).
+
+## Known issues
+
+- We’ve received reports of the network extension interfering with Apple SSO Kerberos extension.
+- The current version of the product still installs a kernel extension. The kernel extension is only used as a fallback mechanism and will be removed before this feature reaches public preview.
+- We are still working on a product version that deploys and functions properly on macOS 11 Big Sur.
+
+## Deployment prerequisites
+
+- Minimum operating system version: **10.15.4**
+- Minimum product version: **101.03.73**
+- Your device must be in the **Insider Fast update channel**. You can check the update channel using the following command:
+
+```bash
+mdatp --health releaseRing
+```
+
+If your device is not already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
+
+```bash
+defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
+```
+
+Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [this page](mac-updates.md#set-the-channel-name).
+
+## Deployment steps
+
+Select the deployment steps corresponding to your environment and your preferred method of trying out this feature.
+
+### Manual deployment
+
+#### Approve the system extensions & enable the network extension
+
+Once all deployment prerequisites are met, restart your device to start the system extension approval and activation process.
+
+You will be presented series of system prompts to approve the Microsoft Defender ATP system extensions. You must approve ALL prompts from the series, because macOS requires an explicit approval for each extension that Microsoft Defender ATP for Mac installs on the device.
+
+For each approval, click **Open Security Preferences** and then click **Allow** to allow the system extension to run.
+
+> [!IMPORTANT]
+> Between subsequent approvals, you must close and re-open the **System Preferences** > **Security & Privacy** window, otherwise macOS will not display the next approval.
+
+> [!IMPORTANT]
+> There is a one minute timeout before the product falls back to the kernel extension (to ensure that the device is protected).
+>
+> If more than one minute has elapsed, restart the daemon (by rebooting the device or using `sudo killall -9 wdavdaemon`) in order to trigger the approval flow again.
+
+
+
+
+
+Following the approval of the system extensions, macOS will prompt for an approval to allow network traffic to be filtered. Click **Allow**.
+
+
+
+#### Grant Full Disk Access to the Endpoint Security system extension
+
+Open **System Preferences** > **Security & Privacy** > **Privacy** tab and grant **Full Disk Access** to the **Microsoft Defender Endpoint Security Extension**.
+
+
+
+#### Reboot your device
+
+In order for the changes to take effect, you must reboot your device.
+
+#### Verify that the system extensions are running
+
+From the Terminal, run the following command:
+
+```bash
+mdatp health --field real_time_protection_subsystem
+```
+
+Terminal output `endpoint_security_extension` indicates the product is using the system extensions functionality.
+
+### Managed deployment
+
+Refer to [this page](mac-sysext-policies.md#jamf) for the new configuration profiles that must be deployed for this new feature.
+
+In addition to those profiles, make sure the target devices are also configured to be in the Insider Fast update channel, as described in [this section](#deployment-prerequisites).
+
+On a device where all prerequisites are met and the new configuration profiles have been deployed, run:
+
+```bash
+$ mdatp health --field real_time_protection_subsystem
+```
+
+If this command prints `endpoint_security_extension`, then the product is using the system extensions functionality.
+
+## Validate basic scenarios
+
+1. Test EICAR detection. From a Terminal window, run:
+
+```bash
+curl -o eicar.txt https://secure.eicar.org/eicar.com.txt
+```
+
+ Verify that the EICAR file is quarantined. This verification can be done from the user interface (from the Protection History page) or command line using the following command:
+
+```bash
+mdatp threat list
+```
+
+2. Test EDR DIY scenario. From a terminal window, run:
+
+```bash
+curl -o "MDATP MacOS DIY.zip" https://aka.ms/mdatpmacosdiy
+```
+
+ Validate that two alerts have popped up in the portal in the machine page for EICAR and EDR DIY scenarios.
+
+## Frequently asked questions
+
+- Q: Why am I still seeing `kernel_extension` when I run `mdatp health --field real_time_protection_subsystem`?
+
+ A: Refer back to the [Deployment prerequisites](#deployment-prerequisites) section and double-check all of them are met. If all prerequisites are met, restart your device and check again.
+
+- Q: When is macOS 11 Big Sur going to be supported?
+
+ A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 4b48c8771f..ce8693466d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -1,6 +1,6 @@
---
title: What's new in Microsoft Defender Advanced Threat Protection for Mac
-description: List of major changes for Microsoft Defender ATP for Mac.
+description: Learn about the major changes for previous versions of Microsoft Defender Advanced Threat Protection for Mac.
keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -38,6 +38,20 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.06.63
+
+- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.
+
+## 101.05.17
+
+> [!IMPORTANT]
+> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.
+>
+> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.
+
+- Addressed a kernel panic that occurred sometimes when accessing SMB file shares
+- Performance improvements & bug fixes
+
## 101.05.16
- Improvements to quick scan logic to significantly reduce the number of scanned files
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 92e5b76fd8..e0c0e5b9b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -1,6 +1,6 @@
---
title: Machine resource type
-description: Retrieves top machines
+description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index 930d43341f..be98dcc681 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -1,6 +1,6 @@
---
title: machineAction resource type
-description: Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, get, machineaction, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 8ee9cd8e12..9665f24c1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -34,13 +34,13 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
> [!TIP]
-> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
>
> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
>
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior the rollout of automatic incident naming will retain their names.
>
-> Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index e17e4280c2..081eb65201 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,6 +1,6 @@
---
-title: Create indicators
-ms.reviewer:
+title: Create indicators
+ms.reviewer:
description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
@@ -14,11 +14,11 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
---
-# Create indicators
+# Create indicators
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -40,10 +40,10 @@ The same list of indicators is honored by the prevention agent. Meaning, if Micr
**Automated investigation and remediation engine**
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
-
+
The current supported actions are:
-- Allow
+- Allow
- Alert only
- Alert and block
@@ -55,7 +55,7 @@ You can create an indicator for:
>[!NOTE]
->There is a limit of 15,000 indicators per tenant.
+>There is a limit of 15,000 indicators per tenant.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
index 04bb26271d..6b4210212e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
@@ -1,6 +1,6 @@
---
title: Manage Microsoft Defender Advanced Threat Protection suppression rules
-description: Manage suppression rules
+description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index 12f56bc412..e25b6e042f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -42,7 +42,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend
- **For end users**
- - Microsoft Defender ATP license assigned to the end user(s) of the app.
+ - Microsoft Defender ATP license assigned to the end user(s) of the app. See [Microsoft Defender ATP licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
- Intune Company Portal app can be downloaded from [Google
Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
@@ -78,7 +78,8 @@ This topic describes how to install, configure, update, and use Microsoft Defend
### Installation instructions
Microsoft Defender ATP for Android supports installation on both modes of
-enrolled devices - the legacy Device Administrator and Android Enterprise modes
+enrolled devices - the legacy Device Administrator and Android Enterprise modes.
+**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM).
For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 62d68dcdee..bfad87ca3d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP for Mac
ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for Mac.
+description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 3eb07ed66d..c07a143d91 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -105,7 +105,7 @@ Ensure that your devices:
Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-See the following topics for related APIs:
+See the following articles for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
@@ -115,7 +115,7 @@ See the following topics for related APIs:
- [Vulnerability APIs](vulnerability.md)
- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
-## Related topics
+## See also
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 2c94a9c19e..d51165a30f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -1,6 +1,6 @@
---
title: Offboard machine API
-description: Use this API to offboard a device from WDATP.
+description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP).
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 5e1fd0cad0..63ca10ace1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -1,6 +1,6 @@
---
title: Submit or Update Indicator API
-description: Use this API to submit or Update Indicator.
+description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, submit, ti, indicator, update
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index fce90c63c2..4c7de91e8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,6 +1,6 @@
---
title: Pull Microsoft Defender ATP detections using REST API
-description: Pull detections from Microsoft Defender ATP REST API.
+description: Learn how call an Microsoft Defender ATP endpoint to pull detections in JSON format using the SIEM REST API.
keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
index 11d05369ee..4435b74d94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -1,59 +1,59 @@
----
-title: Recommendation methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Recommendation resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
+---
+title: Recommendation methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Recommendation resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
+[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
+[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
+[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Recommendation ID
+productName | String | Related software name
+recommendationName | String | Recommendation name
+Weaknesses | Long | Number of discovered vulnerabilities
+Vendor | String | Related vendor name
+recommendedVersion | String | Recommended version
+recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
+subCategory | String | Recommendation sub-category
+severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
+publicExploit | Boolean | Public exploit is available
+activeAlert | Boolean | Active alert is associated with this recommendation
+associatedThreats | String collection | Threat analytics report is associated with this recommendation
+remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
+Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
+configScoreImpact | Double | Microsoft Secure Score for Devices impact
+exposureImpacte | Double | Exposure score impact
+totalMachineCount | Long | Number of installed devices
+exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
+nonProductivityImpactedAssets | Long | Number of devices which are not affected
+relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 00040ec11f..2625952949 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -1,7 +1,7 @@
---
title: Advanced Hunting API
ms.reviewer:
-description: Use the Advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection
+description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example.
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index deacdfd079..9163a45a52 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -1,7 +1,7 @@
---
title: Advanced Hunting with Python API Guide
ms.reviewer:
-description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using Python.
+description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples.
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 0d98b91181..d87232b04b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -50,3 +50,4 @@ The Command Prompt window will close automatically. If successful, the detection
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard servers](configure-server-endpoints.md)
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index bc8b673887..40615f1991 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -1,40 +1,41 @@
----
-title: Score methods and properties
-description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
-keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Score resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
-[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
-[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-Score | Double | The current score.
-Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupName | String | The device group name.
+---
+title: Score methods and properties
+description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
+keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Score resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
+[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
+[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+Score | Double | The current score.
+Time | DateTime | The date and time in which the call for this API was made.
+RbacGroupName | String | The device group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 0853d1f0d8..bacc9d839f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -1,49 +1,49 @@
----
-title: Software methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Software resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
+---
+title: Software methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Software resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[List software](get-software.md) | Software collection | List the organizational software inventory.
+[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
+[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
+[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
+[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+id | String | Software ID
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
+publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
+activeAlert | Boolean | Active alert is associated with this software
+exposedMachines | Long | Number of exposed devices
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index 2bdc3f389c..1a065cce0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -1,6 +1,6 @@
---
title: Stop and quarantine file API
-description: Use this API to stop and quarantine file.
+description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example.
keywords: apis, graph api, supported apis, stop and quarantine file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 692c6a9e61..a3c0638d1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -120,6 +120,9 @@ This step of the setup process involves adding Microsoft Defender ATP to the exc
During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+> [!NOTE]
+> To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
+
When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
- Path exclusions exclude specific files and whatever those files access.
- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 421805849d..7612d8d24a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -22,49 +22,84 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience.
+With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
-Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
+- Assess the impact of new threats
+- Review your resilience against or exposure to the threats
+- Identify the actions you can take to stop or contain the threats
-Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them.
+Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
+
+- Active threat actors and their campaigns
+- Popular and new attack techniques
+- Critical vulnerabilities
+- Common attack surfaces
+- Prevalent malware
+
+Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
+
+Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
## View the threat analytics dashboard
-The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
+The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
-- **Latest threats** — lists the most recently published threat reports, along with the number of devices with resolved and unresolved alerts.
-- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of devices that have had related alerts, along with the number of devices with resolved and unresolved alerts.
-- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
+- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
+- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
+- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
+
+Select a threat from the dashboard to view the report for that threat.
-Select a threat from any of the overviews or from the table to view the report for that threat.
-
## View a threat analytics report
-Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides mitigation recommendations and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
+Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
-
+### Quickly understand a threat and assess its impact to your network in the overview
-### Organizational impact
-Each report includes cards designed to provide information about the organizational impact of a threat:
-- **Devices with alerts** — shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
-- **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
-### Organizational resilience
-Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
-- **Security configuration status** — shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
-- **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
-- **Mitigation details** — lists specific actionable recommendations that can help you increase your organizational resilience. This card lists tracked mitigations, including recommended settings and vulnerability patches, along with the number of devices that don't have the mitigations in place.
+
+_Overview section of a threat analytics report_
-### Additional report details and limitations
+#### Organizational impact
+Each report includes charts designed to provide information about the organizational impact of a threat:
+- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
+- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+
+#### Organizational resilience and exposure
+Each report includes charts that provide an overview of how resilient your organization is against a given threat:
+- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
+- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
+
+### Get expert insight from the analyst report
+Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
+
+
+_Analyst report section of a threat analytics report_
+
+### Review list of mitigations and the status of your devices
+In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
+
+Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
+
+
+_Mitigations section of a threat analytics report_
+
+
+## Additional report details and limitations
When using the reports, keep the following in mind:
-- Data is scoped based on your RBAC permissions. You will only see the status of devices that you have been granted access to on the RBAC.
-- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not reflected in the charts.
+- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
+- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
-- Devices are counted as "unavailable" if they have been unable to transmit data to the service.
-- Antivirus related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+- Devices are counted as "unavailable" if they have not transmitted data to the service.
+- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+
+## Related topics
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 47a3571c4e..7df606ba66 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -1,7 +1,7 @@
---
title: Integrate Microsoft Defender ATP with other Microsoft solutions
ms.reviewer:
-description: Learn how Microsoft Defender ATP integrations with other Microsoft solutions
+description: Learn how Microsoft Defender ATP integrates with other Microsoft solutions, including Azure Advanced Threat Protection and Azure Security Center.
keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 86607dd332..24dcaab4dd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -1,7 +1,7 @@
---
title: Troubleshoot exploit protection mitigations
keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
-description: Remove unwanted Exploit protection mitigations.
+description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead.
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 8c35924c4f..11aa392b29 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -55,9 +55,9 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
+[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
## Threat and vulnerability management dashboard
@@ -68,12 +68,12 @@ Area | Description
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top security recommendations** | See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
-See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
+For more information on the icons used throughout the portal, see [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 19805c1e0b..2cfd0bfeb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -30,7 +30,7 @@ Your exposure score is visible in the [Threat and vulnerability management dashb
- Detect and respond to areas that require investigation or action to improve the current state.
- Communicate with peers and management about the impact of security efforts.
-The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further.
@@ -38,7 +38,7 @@ The card gives you a high-level view of your exposure score trend over time. Any
Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+The exposure score is continuously calculated on each device in the organization. It is influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
index 1ea368d48c..0823575cb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
@@ -1,6 +1,6 @@
---
title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center
-description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
+description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls.
keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -37,7 +37,7 @@ Select a category to go to the [**Security recommendations**](tvm-security-recom
## Turn on the Microsoft Secure Score connector
-Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
+Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
Changes might take up to a few hours to reflect in the dashboard.
@@ -52,7 +52,7 @@ Changes might take up to a few hours to reflect in the dashboard.
>[!NOTE]
> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
-The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process. It is aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
@@ -61,9 +61,9 @@ The data in the Microsoft Secure Score for Devices card is the product of meticu
## Improve your security configuration
-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
+Improve your security configuration by remediating issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
+1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
@@ -71,15 +71,15 @@ You can improve your security configuration when you remediate issues from the s
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
-4. **Submit request**. You will see a confirmation message that the remediation task has been created.
+4. **Submit request**. You'll see a confirmation message that the remediation task has been created.
5. Save your CSV file.
-6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
-7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your Microsoft Secure Score for Devices should increase.
+7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you've addressed won't be listed there anymore. Your Microsoft Secure Score for Devices should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index a94e2b07c4..6673d476df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created.
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
@@ -39,7 +39,7 @@ You can access the Remediation page a few different ways:
### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Remediation**. It will open the list of remediation activities and exceptions found in your organization.
### Top remediation activities in the dashboard
@@ -49,7 +49,7 @@ View **Top remediation activities** in the [threat and vulnerability management
## Remediation activities
-When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
@@ -66,8 +66,8 @@ The exceptions you've filed will show up in the **Remediation** page, in the **E
You can take the following actions on an exception:
-- Cancel - You can cancel the exceptions you've filed any time
-- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
+- Cancel - You can cancel the exceptions you've filed anytime
+- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change. It adversely affects the exposure impact associated with a recommendation that had previously been excluded.
The following statuses will be a part of an exception:
@@ -89,7 +89,7 @@ The exception impact shows on both the Security recommendations page column and
### View exceptions in other places
-Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 889e5059e7..d29f6dfc63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -1,58 +1,58 @@
----
-title: Supported operating systems and platforms for threat and vulnerability management
-description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
-keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
-search.appverid: met150
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Supported operating systems and platforms - threat and vulnerability management
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
-
->[!NOTE]
->The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
-
-Operating system | Security assessment support
-:---|:---
-Windows 7 | Operating System (OS) vulnerabilities
-Windows 8.1 | Not supported
-Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-macOS | Not supported (planned)
-Linux | Not supported (planned)
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+---
+title: Supported operating systems and platforms for threat and vulnerability management
+description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
+keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
+search.appverid: met150
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Supported operating systems and platforms - threat and vulnerability management
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
+
+>[!NOTE]
+>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
+
+Operating system | Security assessment support
+:---|:---
+Windows 7 | Operating System (OS) vulnerabilities
+Windows 8.1 | Not supported
+Windows 10 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+macOS | Not supported (planned)
+Linux | Not supported (planned)
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation and exception](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
+- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 38a2c6d170..6a1a315729 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -1,6 +1,6 @@
---
title: Update alert entity API
-description: Update a Microsoft Defender ATP alert via this API.
+description: Learn how to update a Microsoft Defender ATP alert by using this API. You can update the status, determination, classification, and assignedTo properties.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index d58c080f49..4514bd1e98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -30,19 +30,21 @@ ms.topic: article
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
-1. In the navigation pane, select **Settings > Roles**.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with a Security administrator or Global administrator role assigned.
-2. Select **Add item**.
+2. In the navigation pane, select **Settings > Roles**.
-3. Enter the role name, description, and permissions you'd like to assign to the role.
+3. Select **Add item**.
-4. Select **Next** to assign the role to an Azure AD Security group.
+4. Enter the role name, description, and permissions you'd like to assign to the role.
-5. Use the filter to select the Azure AD group that you'd like to add to this role to.
+5. Select **Next** to assign the role to an Azure AD Security group.
-6. **Save and close**.
+6. Use the filter to select the Azure AD group that you'd like to add to this role to.
-7. Apply the configuration settings.
+7. **Save and close**.
+
+8. Apply the configuration settings.
> [!IMPORTANT]
> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
@@ -81,19 +83,27 @@ For more information on the available commands, see [Investigate devices using L
## Edit roles
-1. Select the role you'd like to edit.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-2. Click **Edit**.
+2. In the navigation pane, select **Settings > Roles**.
-3. Modify the details or the groups that are assigned to the role.
+3. Select the role you'd like to edit.
-4. Click **Save and close**.
+4. Click **Edit**.
+
+5. Modify the details or the groups that are assigned to the role.
+
+6. Click **Save and close**.
## Delete roles
-1. Select the role you'd like to delete.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-2. Click the drop-down button and select **Delete role**.
+2. In the navigation pane, select **Settings > Roles**.
+
+3. Select the role you'd like to delete.
+
+4. Click the drop-down button and select **Delete role**.
## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index 0a72f9fa7d..73f10d1488 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -49,7 +49,7 @@ Incident severity | Description
High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+Informational (Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
## Assigned to
You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
@@ -65,16 +65,15 @@ Use this filter to show incidents that contain sensitivity labels.
## Incident naming
-To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
> [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-Learn more about [turning on preview features](preview.md#turn-on-preview-features).
-## Related topics
+## See also
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)
- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
index 73aeb36a61..15ec215f1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -1,50 +1,50 @@
----
-title: Vulnerability methods and properties
-description: Retrieves vulnerability information
-keywords: apis, graph api, supported apis, get, vulnerability
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Vulnerability resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
-exploitUris | String collection | Exploit source URLs
+---
+title: Vulnerability methods and properties
+description: Retrieves vulnerability information
+keywords: apis, graph api, supported apis, get, vulnerability
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Vulnerability resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
+[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Vulnerability ID
+Name | String | Vulnerability title
+Description | String | Vulnerability description
+Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
+cvssV3 | Double | CVSS v3 score
+exposedMachines | Long | Number of exposed devices
+publishedOn | DateTime | Date when vulnerability was published
+updatedOn | DateTime | Date when vulnerability was updated
+publicExploit | Boolean | Public exploit exists
+exploitVerified | Boolean | Exploit is verified to work
+exploitInKit | Boolean | Exploit is part of an exploit kit
+exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
+exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 906f92f4f8..5b63a7546e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -139,7 +139,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/microsoft-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
+ - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
- [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 4f0891df0c..3956891c0c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -33,29 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Description |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
- | Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
+ | Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen |
At least Windows Server 2012, Windows 8 or Windows RT |
This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
-Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
-Windows 10, version 1703 |
-This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources. Important: Using a trustworthy browser helps ensure that these protections work as expected. |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
+Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
+Windows 10, version 1703 |
+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources. Important: Using a trustworthy browser helps ensure that these protections work as expected. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen |
Microsoft Edge on Windows 10 or later |
This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files |
Microsoft Edge on Windows 10, version 1511 or later |
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files. If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites |
Microsoft Edge on Windows 10, version 1511 or later |
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites. If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. |
@@ -90,11 +90,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10 |
-- URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
-- Data type. Integer
-- Allowed values:
-- 0 . Turns off Microsoft Defender SmartScreen in Edge.
-- 1. Turns on Microsoft Defender SmartScreen in Edge.
+- URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
+- Data type. Integer
+- Allowed values:
+- 0 . Turns off Microsoft Defender SmartScreen in Edge.
+- 1. Turns on Microsoft Defender SmartScreen in Edge.
|
@@ -102,11 +102,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, version 1703 |
-- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
-- Data type. Integer
-- Allowed values:
-- 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
-- 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
+- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
+- Data type. Integer
+- Allowed values:
+- 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
+- 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
|
@@ -114,11 +114,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, version 1703 |
-- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
-- Data type. Integer
-- Allowed values:
-- 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
-- 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
+- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
+- Data type. Integer
+- Allowed values:
+- 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
+- 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
|
@@ -126,11 +126,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, version 1703 |
-- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
-- Data type. Integer
-- Allowed values:
-- 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
-- 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
+- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
+- Data type. Integer
+- Allowed values:
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
|
@@ -138,11 +138,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, Version 1511 and later |
-- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
-- Data type. Integer
-- Allowed values:
-- 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
-- 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
+- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
+- Data type. Integer
+- Allowed values:
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
|
@@ -150,11 +150,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, Version 1511 and later |
-- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
-- Data type. Integer
-- Allowed values:
-- 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
-- 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
+- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
+- Data type. Integer
+- Allowed values:
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
|
@@ -170,19 +170,19 @@ To better help you protect your organization, we recommend turning on and using
| Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen |
-Enable. Turns on Microsoft Defender SmartScreen. |
+Enable. Turns on Microsoft Defender SmartScreen. |
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites |
-Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
+Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files |
-Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
+Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
| Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen |
-Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. |
+Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. |
@@ -193,23 +193,23 @@ To better help you protect your organization, we recommend turning on and using
|
| Browser/AllowSmartScreen |
-1. Turns on Microsoft Defender SmartScreen. |
+1. Turns on Microsoft Defender SmartScreen. |
| Browser/PreventSmartScreenPromptOverride |
-1. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
+1. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
| Browser/PreventSmartScreenPromptOverrideForFiles |
-1. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
+1. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
| SmartScreen/EnableSmartScreenInShell |
-1. Turns on Microsoft Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
+1. Turns on Microsoft Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
| SmartScreen/PreventOverrideForFilesInShell |
-1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. Requires at least Windows 10, version 1703. |
+1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. Requires at least Windows 10, version 1703. |
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 9bae1e6575..b39153d62c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -1,6 +1,6 @@
---
title: Microsoft Defender SmartScreen overview (Windows 10)
-description: Conceptual info about Microsoft Defender SmartScreen.
+description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 15bf8bc91c..eaef387dbf 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features.
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index d726f7ff56..905bf8c06a 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -351,7 +351,7 @@ The following table details the hardware requirements for both virtualization-ba
Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled |
Required to support virtualization-based security.
- NoteDevice Guard can be enabled without using virtualization-based security.
+ NoteDevice Guard can be enabled without using virtualization-based security.
@@ -533,7 +533,7 @@ If the TPM ownership is not known but the EK exists, the client library will pro
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
-> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
### Windows 10 Health Attestation CSP
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index a41896c0f5..44ba58b22d 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts).
There are two options if this setting is enabled:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index df59384aa5..c93ec93b11 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -90,9 +90,9 @@ In other words, the hotfix in each KB article provides the necessary code and fu
| |Default SDDL |Translated SDDL| Comments
|---|---|---|---|
-|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
+|Windows Server 2016 (or later) domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
|Earlier domain controller |-|-|No access check is performed by default.|
-|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) DACL: • Revision: 0x02 • Size: 0x0020 • Ace Count: 0x001 • Ace[00]------------------------- AceType:0x00 (ACCESS\_ALLOWED_ACE_TYPE) AceSize:0x0018 InheritFlags:0x00 Access Mask:0x00020000 AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|Windows 10, version 1607 (or later) non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) DACL: • Revision: 0x02 • Size: 0x0020 • Ace Count: 0x001 • Ace[00]------------------------- AceType:0x00 (ACCESS\_ALLOWED_ACE_TYPE) AceSize:0x0018 InheritFlags:0x00 Access Mask:0x00020000 AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
|Earlier non-domain controller |-|-|No access check is performed by default.|
## Policy management
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index 7ac5a2faeb..1f35434f95 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -59,12 +59,12 @@ You can perform this task by using the Group Policy Management Console for an Ap
- Use an installed packaged app as a reference |
+ Use an installed packaged app as a reference |
If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule. |
You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference. |
- Use a packaged app installer as a reference |
+ Use a packaged app installer as a reference |
If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule. |
Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule. |
@@ -87,30 +87,30 @@ You can perform this task by using the Group Policy Management Console for an Ap
- Applies to Any publisher |
- This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.
- Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running. |
+ Applies to Any publisher |
+ This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.
+ Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running. |
You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app. |
- Applies to a specific Publisher |
+ Applies to a specific Publisher |
This scopes the rule to all apps published by a particular publisher. |
You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
- Applies to a Package name |
+ Applies to a Package name |
This scopes the rule to all packages that share the publisher name and package name as the reference file. |
You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
- Applies to a Package version |
+ Applies to a Package version |
This scopes the rule to a particular version of the package. |
You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
Applying custom values to the rule |
- Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance. |
- You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
+ Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance. |
+ You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 3cac5abbce..c43cf96fee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -99,9 +99,9 @@ The following table provides an example of how to list applications for each bus
|
->Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+>Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
-Event processing
+Event processing
As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 2f56b9e1e8..3e7f0169c7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -1,6 +1,6 @@
---
title: Maintain AppLocker policies (Windows 10)
-description: This topic describes how to maintain rules within AppLocker policies.
+description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 90bf198903..35e51ee350 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -277,7 +277,7 @@ The following table is an example of what to consider and record.
|
-Policy maintenance policy
+Policy maintenance policy
When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
The following table is an example of what to consider and record.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 5bfe8d38ed..1d132ac242 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -131,7 +131,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
-Event processing policy
+Event processing policy
@@ -169,7 +169,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
-Policy maintenance policy
+Policy maintenance policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 7baf71b5df..a8bfeff845 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -119,7 +119,7 @@ If your organization supports multiple Windows operating systems, app control po
AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see Requirements to use AppLocker.
- NoteIf you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.
+ NoteIf you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index 2ddcbb332e..eab62e36b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -119,7 +119,7 @@ The following table compares AppLocker to Software Restriction Policies.
|
-Application control function differences
+Application control function differences
The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
@@ -141,7 +141,7 @@ The following table compares the application control functions of Software Restr
SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003. |
AppLocker policies apply only to those supported operating system versions and editions listed in Requirements to use AppLocker. But these systems can also use SRP.
- NoteUse different GPOs for SRP and AppLocker rules.
+ NoteUse different GPOs for SRP and AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index b1e6b39844..9b387d559d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -1,6 +1,6 @@
---
title: Disable Windows Defender Application Control policies (Windows 10)
-description: This topic covers how to disable unsigned or signed WDAC policies.
+description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 9c6d253b10..61a59f78bf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -1,6 +1,6 @@
---
title: Plan for WDAC policy management (Windows 10)
-description: How to plan for Windows Defender Application Control (WDAC) policy management.
+description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e14032719c..134df74024 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,6 +1,6 @@
---
title: Understand WDAC policy rules and file rules (Windows 10)
-description: Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options.
+description: Learn how Windows Defender Application Control provides control over a computer running Windows 10 by using policies that include policy rules and file rules.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index 47bf414bc9..4886c28f4d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -1,6 +1,6 @@
---
title: Family options in the Windows Security app
-description: Hide the Family options section in enterprise environments
+description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options are not intended for business environments.
keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 6be93c64cb..b22eec75f4 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -1,6 +1,6 @@
---
title: Manage Windows Security in Windows 10 in S mode
-description: Windows Security settings are different in Windows 10 in S mode
+description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance.
keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
index e3271818c1..e5edff503e 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.md
+++ b/windows/security/threat-protection/windows-firewall/TOC.md
@@ -1,110 +1,179 @@
# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
-## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
-## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
-## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-## [Design Guide](windows-firewall-with-advanced-security-design-guide.md)
-### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
-#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
-#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md)
-#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md)
-### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-#### [Basic Design](basic-firewall-policy-design.md)
-#### [Domain Isolation Design](domain-isolation-policy-design.md)
-#### [Server Isolation Design](server-isolation-policy-design.md)
-#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md)
-### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-#### [Basic Design Example](firewall-policy-design-example.md)
-#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md)
-#### [Server Isolation Design Example](server-isolation-policy-design-example.md)
-#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md)
-### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-#### [Gathering the Info You Need](gathering-the-information-you-need.md)
-##### [Network](gathering-information-about-your-current-network-infrastructure.md)
-##### [Active Directory](gathering-information-about-your-active-directory-deployment.md)
-##### [Computers](gathering-information-about-your-devices.md)
-##### [Other Relevant Information](gathering-other-relevant-information.md)
-#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
-### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md)
-#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
-#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
-##### [Exemption List](exemption-list.md)
-##### [Isolated Domain](isolated-domain.md)
-##### [Boundary Zone](boundary-zone.md)
-##### [Encryption Zone](encryption-zone.md)
-#### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
-#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+
+## [Plan deployment]()
+
+### [Design guide](windows-firewall-with-advanced-security-design-guide.md)
+
+### [Design process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+
+### [Implementation goals]()
+#### [Identify implementation goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+#### [Protect devices from unwanted network traffic](protect-devices-from-unwanted-network-traffic.md)
+#### [Restrict access to only trusted devices](restrict-access-to-only-trusted-devices.md)
+#### [Require encryption](require-encryption-when-accessing-sensitive-network-resources.md)
+#### [Restrict access](restrict-access-to-only-specified-users-or-devices.md)
+
+### [Implementation designs]()
+#### [Mapping goals to a design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+
+#### [Basic firewall design](basic-firewall-policy-design.md)
+##### [Basic firewall design example](firewall-policy-design-example.md)
+
+
+#### [Domain isolation design](domain-isolation-policy-design.md)
+##### [Domain isolation design example](domain-isolation-policy-design-example.md)
+
+
+#### [Server isolation design](server-isolation-policy-design.md)
+##### [Server Isolation design example](server-isolation-policy-design-example.md)
+
+
+#### [Certificate-based isolation design](certificate-based-isolation-policy-design.md)
+##### [Certificate-based Isolation design example](certificate-based-isolation-policy-design-example.md)
+
+### [Design planning]()
+#### [Planning your design](planning-your-windows-firewall-with-advanced-security-design.md)
+
+#### [Planning settings for a basic firewall policy](planning-settings-for-a-basic-firewall-policy.md)
+
+#### [Planning domain isolation zones]()
+##### [Domain isolation zones](planning-domain-isolation-zones.md)
+##### [Exemption list](exemption-list.md)
+##### [Isolated domain](isolated-domain.md)
+##### [Boundary zone](boundary-zone.md)
+##### [Encryption zone](encryption-zone.md)
+
+#### [Planning server isolation zones](planning-server-isolation-zones.md)
+
+#### [Planning certificate-based authentication](planning-certificate-based-authentication.md)
##### [Documenting the Zones](documenting-the-zones.md)
-##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
-###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
-###### [Planning Network Access Groups](planning-network-access-groups.md)
+
+##### [Planning group policy deployment for your isolation zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+###### [Planning isolation groups for the zones](planning-isolation-groups-for-the-zones.md)
+###### [Planning network access groups](planning-network-access-groups.md)
+
###### [Planning the GPOs](planning-the-gpos.md)
####### [Firewall GPOs](firewall-gpos.md)
######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
-####### [Isolated Domain GPOs](isolated-domain-gpos.md)
+####### [Isolated domain GPOs](isolated-domain-gpos.md)
######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
-####### [Boundary Zone GPOs](boundary-zone-gpos.md)
+####### [Boundary zone GPOs](boundary-zone-gpos.md)
######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
-####### [Encryption Zone GPOs](encryption-zone-gpos.md)
+####### [Encryption zone GPOs](encryption-zone-gpos.md)
######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
-####### [Server Isolation GPOs](server-isolation-gpos.md)
-###### [Planning GPO Deployment](planning-gpo-deployment.md)
-### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
-### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
-### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
-### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
-### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
-### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
-### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
-### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
-### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
-#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
-#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
-#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
-### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
-#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
-#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
-### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
-#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
-#### [Configure Authentication Methods](configure-authentication-methods.md)
-#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
-#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
-#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
-#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
-#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
-#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-#### [Create a Group Policy Object](create-a-group-policy-object.md)
-#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
-#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
-#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
-#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
-#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
-#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
-#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
-#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
-#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
-#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
-#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
-#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
-#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
-#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
-#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
-#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
-#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md)
-#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
-#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
+####### [Server isolation GPOs](server-isolation-gpos.md)
+
+###### [Planning GPO deployment](planning-gpo-deployment.md)
+
+
+### [Planning to deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
+
+
+## [Deployment guide]()
+### [Deployment overview](windows-firewall-with-advanced-security-deployment-guide.md)
+
+### [Implementing your plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+
+### [Basic firewall deployment]()
+#### [Checklist: Implementing a basic firewall policy design](checklist-implementing-a-basic-firewall-policy-design.md)
+
+
+
+### [Domain isolation deployment]()
+#### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+
+
+
+### [Server isolation deployment]()
+#### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
+
+
+
+### [Certificate-based authentication]()
+#### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+
+
+
+## [Best practices]()
+### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
+
+
+## [How-to]()
+### [Add Production devices to the membership group for a zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+### [Add test devices to the membership group for a zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+### [Assign security group filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+### [Change rules from request to require mode](Change-Rules-From-Request-To-Require-Mode.Md)
+### [Configure authentication methods](Configure-authentication-methods.md)
+### [Configure data protection (Quick Mode) settings](configure-data-protection-quick-mode-settings.md)
+### [Configure Group Policy to autoenroll and deploy certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+### [Configure key exchange (main mode) settings](configure-key-exchange-main-mode-settings.md)
+### [Configure the rules to require encryption](configure-the-rules-to-require-encryption.md)
+### [Configure the Windows Firewall log](configure-the-windows-firewall-log.md)
+### [Configure the workstation authentication certificate template](configure-the-workstation-authentication-certificate-template.md)
+### [Configure Windows Firewall to suppress notifications when a program is blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+### [Confirm that certificates are deployed correctly](confirm-that-certificates-are-deployed-correctly.md)
+### [Copy a GPO to create a new GPO](copy-a-gpo-to-create-a-new-gpo.md)
+### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+### [Create a Group Policy Object](create-a-group-policy-object.md)
+### [Create an authentication exemption list rule](create-an-authentication-exemption-list-rule.md)
+### [Create an authentication request rule](create-an-authentication-request-rule.md)
+### [Create an inbound ICMP rule](create-an-inbound-icmp-rule.md)
+### [Create an inbound port rule](create-an-inbound-port-rule.md)
+### [Create an inbound program or service rule](create-an-inbound-program-or-service-rule.md)
+### [Create an outbound port rule](create-an-outbound-port-rule.md)
+### [Create an outbound program or service rule](create-an-outbound-program-or-service-rule.md)
+### [Create inbound rules to support RPC](create-inbound-rules-to-support-rpc.md)
+### [Create WMI filters for the GPO](create-wmi-filters-for-the-gpo.md)
+### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
+### [Enable predefined inbound rules](enable-predefined-inbound-rules.md)
+### [Enable predefined outbound rules](enable-predefined-outbound-rules.md)
+### [Exempt ICMP from authentication](exempt-icmp-from-authentication.md)
+### [Link the GPO to the domain](link-the-gpo-to-the-domain.md)
+### [Modify GPO filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+### [Open IP security policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
+### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
+### [Restrict server access](restrict-server-access-to-members-of-a-group-only.md)
+### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
+### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
+
+
+## [References]()
+### [Checklist: Creating Group Policy objects](checklist-creating-group-policy-objects.md)
+### [Checklist: Creating inbound firewall rules](checklist-creating-inbound-firewall-rules.md)
+### [Checklist: Creating outbound firewall rules](checklist-creating-outbound-firewall-rules.md)
+### [Checklist: Configuring basic firewall settings](checklist-configuring-basic-firewall-settings.md)
+
+
+### [Checklist: Configuring rules for the isolated domain](checklist-configuring-rules-for-the-isolated-domain.md)
+### [Checklist: Configuring rules for the boundary zone](checklist-configuring-rules-for-the-boundary-zone.md)
+### [Checklist: Configuring rules for the encryption zone](checklist-configuring-rules-for-the-encryption-zone.md)
+### [Checklist: Configuring rules for an isolated server zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
+
+### [Checklist: Configuring rules for servers in a standalone isolated server zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+### [Checklist: Creating rules for clients of a standalone isolated server zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+
+
+### [Appendix A: Sample GPO template files for settings used in this guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+
+
+
+## [Troubleshooting]()
+### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index d74524355b..32918a0147 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -1,6 +1,6 @@
---
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
-description: Add Production Devices to the Membership Group for a Zone
+description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index c79ea27f4e..6bfc87a6c3 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -1,6 +1,6 @@
---
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
-description: Add Test Devices to the Membership Group for a Zone
+description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index a0422c4a14..b9c0f35fc2 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -1,6 +1,6 @@
---
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
-description: Appendix A Sample GPO Template Files for Settings Used in this Guide
+description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index b41fba1e87..663f7ba800 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -1,6 +1,6 @@
---
title: Assign Security Group Filters to the GPO (Windows 10)
-description: Assign Security Group Filters to the GPO
+description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 0b313e0d05..81e8194d88 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -1,6 +1,6 @@
---
title: Boundary Zone GPOs (Windows 10)
-description: Boundary Zone GPOs
+description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 05d8ac588f..849fd51e8b 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -1,6 +1,6 @@
---
title: Boundary Zone (Windows 10)
-description: Boundary Zone
+description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index efa67c42bc..45b1bdfe0f 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Certificate-based Isolation Policy Design Example (Windows 10)
-description: Certificate-based Isolation Policy Design Example
+description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 71775ab476..38ec0654bb 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Certificate-based Isolation Policy Design
+# Certificate-based isolation policy design
**Applies to**
- Windows 10
@@ -35,7 +35,7 @@ For Windows devices that are part of an Active Directory domain, you can use Gro
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
@@ -45,4 +45,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
-**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 2163ee0015..9bc976625b 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
-description: Checklist Configuring Rules for an Isolated Server Zone
+description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index 8d8d97e772..4a8272c0a4 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
-description: Checklist Configuring Rules for the Boundary Zone
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 5c265b66ef..b9406909c6 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
-description: Checklist Configuring Rules for the Encryption Zone
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 260980b98d..dce673dded 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
-description: Checklist Configuring Rules for the Isolated Domain
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 151e5017f4..4bea4169a2 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Group Policy Objects (Windows 10)
-description: Checklist Creating Group Policy Objects
+description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index 9c392608a3..4b04bec98e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Inbound Firewall Rules (Windows 10)
-description: Checklist Creating Inbound Firewall Rules
+description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index 10f025a062..4b03a9a468 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Outbound Firewall Rules (Windows 10)
-description: Checklist Creating Outbound Firewall Rules
+description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 4d6b02ef58..6e7e1f12f2 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Certificate-based Isolation Policy Design
+description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
ms.author: dansimp
@@ -25,13 +25,14 @@ ms.date: 08/17/2017
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
**Checklist: Implementing certificate-based authentication**
| Task | Reference |
| - | - |
-| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 139618cb53..f9ac702f70 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Domain Isolation Policy Design
+description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,8 @@ ms.date: 08/17/2017
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
@@ -33,7 +34,7 @@ The procedures in this section use the Group Policy MMC snap-ins to configure th
| Task | Reference |
| - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 05aad0007e..5428613f80 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Standalone Server Isolation Policy Design
+description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
ms.author: dansimp
@@ -27,13 +27,14 @@ This checklist contains procedures for creating a server isolation policy design
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
**Checklist: Implementing a standalone server isolation policy design**
| Task | Reference |
| - | - |
-| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index 1537a9a193..547685f707 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -1,6 +1,6 @@
---
title: Configure Authentication Methods (Windows 10)
-description: Configure Authentication Methods
+description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 70452597e6..886c851257 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Data Protection (Quick Mode) Settings (Windows 10)
-description: Configure Data Protection (Quick Mode) Settings
+description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index c16f30452b..c619cda63c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -1,6 +1,6 @@
---
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
-description: Configure Group Policy to Autoenroll and Deploy Certificates
+description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index b8743e2e69..7666bdc174 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Key Exchange (Main Mode) Settings (Windows 10)
-description: Configure Key Exchange (Main Mode) Settings
+description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 7fde7baa03..ca7c77dfd2 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -1,6 +1,6 @@
---
title: Configure the Rules to Require Encryption (Windows 10)
-description: Configure the Rules to Require Encryption
+description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 537198bd08..8cb54165e1 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,6 +1,6 @@
---
title: Configure the Windows Defender Firewall Log (Windows 10)
-description: Configure the Windows Defender Firewall Log
+description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 61f12fe05d..927053f40c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,6 +1,6 @@
---
title: Configure the Workstation Authentication Template (Windows 10)
-description: Configure the Workstation Authentication Certificate Template
+description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index 566425e4b8..65704e92f5 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -1,6 +1,6 @@
---
title: Confirm That Certificates Are Deployed Correctly (Windows 10)
-description: Confirm That Certificates Are Deployed Correctly
+description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index e9c8024043..51ecd3fcb2 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -1,6 +1,6 @@
---
title: Copy a GPO to Create a New GPO (Windows 10)
-description: Copy a GPO to Create a New GPO
+description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 5e5b2b22d9..35f885a1ee 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -1,6 +1,6 @@
---
title: Create a Group Account in Active Directory (Windows 10)
-description: Create a Group Account in Active Directory
+description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index b790f7d1ac..b2cef93530 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -1,6 +1,6 @@
---
title: Create a Group Policy Object (Windows 10)
-description: Create a Group Policy Object
+description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
ms.author: dansimp
@@ -39,7 +39,8 @@ To create a new GPO
4. In the **Name** text box, type the name for your new GPO.
- >**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
+ > [!NOTE]
+ > Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 2f97c1e3a7..bdcad85769 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Authentication Exemption List Rule (Windows 10)
-description: Create an Authentication Exemption List Rule
+description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 2c0470e6c8..914c035aa9 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound ICMP Rule (Windows 10)
-description: Create an Inbound ICMP Rule
+description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 2c3d3fccae..89db14ccae 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound Port Rule (Windows 10)
-description: Create an Inbound Port Rule
+description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 401e8de3f6..c2d887fe0d 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound Program or Service Rule (Windows 10)
-description: Create an Inbound Program or Service Rule
+description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index 19ced05694..db459ab562 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Outbound Port Rule (Windows 10)
-description: Create an Outbound Port Rule
+description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 84b71ac1f8..e44f10923b 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,6 +1,6 @@
---
title: Create Inbound Rules to Support RPC (Windows 10)
-description: Create Inbound Rules to Support RPC
+description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index e7201d21c3..9b88cddfe3 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,6 +1,6 @@
---
title: Create Windows Firewall rules in Intune (Windows 10)
-description: Explains how to create Windows Firewall rules in Intune
+description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 57292a294e..ebcd8943b9 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,6 +1,6 @@
---
title: Create WMI Filters for the GPO (Windows 10)
-description: Create WMI Filters for the GPO
+description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index d7bed686fa..b4f3c5a658 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,6 +1,6 @@
---
title: Determining the Trusted State of Your Devices (Windows 10)
-description: Determining the Trusted State of Your Devices
+description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 0fa1893aa6..6ed3a0bf2a 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,6 +1,6 @@
---
title: Documenting the Zones (Windows 10)
-description: Documenting the Zones
+description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index d0e345f2c5..bdc9a665db 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Domain Isolation Policy Design Example (Windows 10)
-description: Domain Isolation Policy Design Example
+description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 948932fb53..ab6c8e4327 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Domain Isolation Policy Design (Windows 10)
-description: Domain Isolation Policy Design
+description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
ms.reviewer:
ms.author: dansimp
@@ -50,8 +50,8 @@ Characteristics of this design, as shown in the diagram, include the following:
- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices.
After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization.
-
->**Important:** This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
+> [!IMPORTANT]
+> This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
@@ -59,7 +59,7 @@ In order to expand the isolated domain to include Devices that cannot be part of
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 17c9f0d4ee..92491a2ab8 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,6 +1,6 @@
---
title: Enable Predefined Outbound Rules (Windows 10)
-description: Enable Predefined Outbound Rules
+description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index 1a2eab4b13..33338e8b52 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,6 +1,6 @@
---
title: Encryption Zone GPOs (Windows 10)
-description: Encryption Zone GPOs
+description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index ced058672b..097cbdf870 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,6 +1,6 @@
---
title: Encryption Zone (Windows 10)
-description: Encryption Zone
+description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted.
ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index 4293f9cc59..5b87eef36e 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,6 +1,6 @@
---
title: Exempt ICMP from Authentication (Windows 10)
-description: Exempt ICMP from Authentication
+description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index f66bc68daa..eb4909a401 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,6 +1,6 @@
---
title: Exemption List (Windows 10)
-description: Learn the ins and outs of exemption lists on a secured network using Windows 10.
+description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index 1af381ba0e..e40d0eddc7 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,6 +1,6 @@
---
title: Firewall GPOs (Windows 10)
-description: Firewall GPOs
+description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain.
ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 5127569bc4..ca7bc12d6f 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,6 +1,6 @@
---
-title: Firewall Policy Design Example (Windows 10)
-description: Firewall Policy Design Example
+title: Basic Firewall Policy Design Example (Windows 10)
+description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Firewall Policy Design Example
+# Basic Firewall Policy Design Example
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index cd4b6c6d78..56c50d121a 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,6 +1,6 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows 10)
-description: Gathering Information about Your Active Directory Deployment
+description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 2feb5a2fd1..0d8532e07e 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,6 +1,6 @@
---
title: Gathering Information about Your Devices (Windows 10)
-description: Gathering Information about Your Devices
+description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 5d29784f77..44b471961b 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,6 +1,6 @@
---
title: Gathering Other Relevant Information (Windows 10)
-description: Gathering Other Relevant Information
+description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index 89fc8ac3c0..da4b632a34 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,6 +1,6 @@
---
title: Gathering the Information You Need (Windows 10)
-description: Gathering the Information You Need
+description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 006015b36a..ca757eeba4 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Boundary (Windows 10)
-description: GPO\_DOMISO\_Boundary
+description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices.
ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index e16a7ecc32..ee39cb7790 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
-description: GPO\_DOMISO\_Encryption\_WS2008
+description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index e44b50dd82..3cba8b312c 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Firewall (Windows 10)
-description: GPO\_DOMISO\_Firewall
+description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 5e3a16c452..96725d8ff3 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,6 +1,6 @@
---
-title: Identify Goals for your WFAS Deployment (Windows 10)
-description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) Deployment Goals
+title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10)
+description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.reviewer:
ms.author: dansimp
@@ -17,22 +17,21 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
-
+# Identifying Windows Defender Firewall with Advanced Security implementation goals
**Applies to**
- Windows 10
- Windows Server 2016
-Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
+Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.
-The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall implementation goals:
| Deployment goal tasks | Reference links |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals: - [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
- [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
- [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
- [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
-| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. | - [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
-| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | - [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
|
+| Evaluate predefined Windows Defender Firewall with Advanced Security implementation goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined implementation goals: - [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
- [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
- [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
- [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
+| Map one goal or a combination of the predefined implementation goals to an existing Windows Defender Firewall with Advanced Security design. | - [Mapping Your implementation goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
+| Based on the status of your current infrastructure, document your implementation goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | - [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
|
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index c56fd15494..841c88ae5d 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -48,7 +48,7 @@ Use the following parent checklists in this section of the guide to become famil
- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+- [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index 84999a6bd2..a07f984898 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,6 +1,6 @@
---
title: Isolated Domain GPOs (Windows 10)
-description: Isolated Domain GPOs
+description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index bb06dc1bff..90b121b86e 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,6 +1,6 @@
---
title: Isolated Domain (Windows 10)
-description: Isolated Domain
+description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index 1a5d115e8a..169d59a2df 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -1,6 +1,6 @@
---
title: Isolating Microsoft Store Apps on Your Network (Windows 10)
-description: Isolating Microsoft Store Apps on Your Network
+description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 3b40dbd662..9f710aa000 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,6 +1,6 @@
---
title: Link the GPO to the Domain (Windows 10)
-description: Link the GPO to the Domain
+description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 9c73c224b9..314389955f 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
-title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10)
-description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10)
+description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
ms.reviewer:
ms.author: dansimp
@@ -17,17 +17,17 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+# Mapping your implementation goals to a Windows Firewall with Advanced Security design
**Applies to**
- Windows 10
- Windows Server 2016
-After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+> [!IMPORTANT]
+> The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
->**Important:** The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
-
-Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization.
+Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security implementation goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security implementation goals to meet the needs of your organization.
| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design |
| - |- | - | - | - |
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index b055c8d636..9a78732eb3 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,6 +1,6 @@
---
title: Modify GPO Filters (Windows 10)
-description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
+description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index e00e35ccff..63c6cbf6d2 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,6 +1,6 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
-description: Open the Group Policy Management Console to IP Security Policies
+description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index bce220a506..134a6bb928 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,6 +1,6 @@
---
-title: Open a GPO to Windows Defender Firewall (Windows 10)
-description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
+title: Group Policy Management of Windows Defender Firewall (Windows 10)
+description: Group Policy Management of Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/02/2017
---
-# Open the Group Policy Management Console to Windows Defender Firewall
+# Group Policy Management of Windows Defender Firewall
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index cbf3fd9257..3d67c96d9d 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows 10)
-description: Open Windows Defender Firewall with Advanced Security
+description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 100858ecbe..b2b2a0467b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,6 +1,6 @@
---
title: Planning Certificate-based Authentication (Windows 10)
-description: Planning Certificate-based Authentication
+description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index f37a7ebdea..5a7fcb44a2 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Domain Isolation Zones (Windows 10)
-description: Planning Domain Isolation Zones
+description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 188f4f2556..831200cf48 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning GPO Deployment (Windows 10)
-description: Planning GPO Deployment
+description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 991bdcec0d..22f031c902 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10)
-description: Planning Group Policy Deployment for Your Isolation Zones
+description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 2183c3f911..cef2c16969 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Isolation Groups for the Zones (Windows 10)
-description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs
+description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 3043878e04..5cb6ff075c 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,6 +1,6 @@
---
title: Planning Network Access Groups (Windows 10)
-description: Planning Network Access Groups
+description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index f42eca057b..b1af014fa5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Server Isolation Zones (Windows 10)
-description: Planning Server Isolation Zones
+description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index 8138bd8ee1..5a8cd1a017 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,6 +1,6 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows 10)
-description: Planning Settings for a Basic Firewall Policy
+description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 78c49adcca..80b776ca44 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,6 +1,6 @@
---
title: Planning the GPOs (Windows 10)
-description: Planning the GPOs
+description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 6992965186..2caa25566a 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
-description: Planning Your Windows Defender Firewall with Advanced Security Design
+description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index 2d37487be2..643f41ab14 100644
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -1,6 +1,6 @@
---
title: Procedures Used in This Guide (Windows 10)
-description: Procedures Used in This Guide
+description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index a3ca3c4b6e..a05d8eb5a3 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,6 +1,6 @@
---
-title: Protect Devices from Unwanted Network Traffic (Windows 10)
-description: Protect Devices from Unwanted Network Traffic
+title: Protect devices from unwanted network traffic (Windows 10)
+description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Protect Devices from Unwanted Network Traffic
+# Protect devices from unwanted network traffic
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 4f5c2b1cb0..a79aedce9d 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,6 +1,6 @@
---
title: Require Encryption When Accessing Sensitive Network Resources (Windows 10)
-description: Require Encryption When Accessing Sensitive Network Resources
+description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index cbdd8e51d9..27007f7718 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,6 +1,6 @@
---
-title: Restrict Access to Only Trusted Devices (Windows 10)
-description: Restrict Access to Only Trusted Devices
+title: Restrict access to only trusted devices (Windows 10)
+description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Restrict Access to Only Trusted Devices
+# Restrict access to only trusted devices
**Applies to**
- Windows 10
@@ -27,7 +27,8 @@ Your organizational network likely has a connection to the Internet. You also li
To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
->**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
+> [!NOTE]
+> Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index dbffb1b8f1..8286d47f26 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,6 +1,6 @@
---
title: Server Isolation GPOs (Windows 10)
-description: Server Isolation GPOs
+description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index b93e884682..daba2b5e2c 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Server Isolation Policy Design Example (Windows 10)
-description: Server Isolation Policy Design Example
+description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 1eeea3dc76..d5c4333424 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Server Isolation Policy Design (Windows 10)
-description: Server Isolation Policy Design
+description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a
ms.reviewer:
ms.author: dansimp
@@ -43,13 +43,14 @@ Characteristics of this design include the following:
To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules.
->**Important:** This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
+> [!IMPORTANT]
+> This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
new file mode 100644
index 0000000000..6071427eda
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -0,0 +1,1328 @@
+---
+title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
+description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
+
+ms.reviewer:
+ms.author: dansimp
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: troubleshooting
+---
+
+# Troubleshooting UWP App Connectivity Issues
+
+This document is intended to help network admins, support engineers, and developers to
+investigate UWP app network connectivity issues.
+
+This document guides you through steps to debug Universal Windows Platform (UWP) app network connectivity issues by providing practical examples.
+
+## Typical causes of connectivity issues
+
+UWP app network connectivity issues are typically caused by:
+
+1. The UWP app was not permitted to receive loopback traffic. This must be configured. By default, UWP apps are not allowed to receive loopback traffic.
+2. The UWP app is missing the proper capability tokens.
+3. The private range is configured incorrectly. For example, the private range is set incorrectly through GP/MDM policies, etc.
+
+To understand these causes more thoroughly, there are several concepts to review.
+
+The traffic of network packets (what's permitted and what’s not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app
+or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP.
+
+When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block
+filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach. This ensures the application’s granular access to each resource type and preventing the application from escaping its environment.
+
+For more information on the filter arbitration algorithm and network isolation,
+see [Filter
+Arbitration](https://docs.microsoft.com/windows/win32/fwp/filter-arbitration)
+and
+[Isolation](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation).
+
+The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues.
+
+> [!NOTE]
+> As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the
+traces collected on previous releases of Windows.
+
+## Debugging UWP App Loopback scenarios
+
+If you need to establish a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback.
+
+To enable loopback for client outbound connections, run the following at a command prompt:
+
+```console
+CheckNetIsolation.exe LoopbackExempt -a -n=
+```
+
+To enable loopback for server inbound connections, run the following at a
+command prompt:
+```console
+CheckNetIsolation.exe LoopbackExempt -is -n=
+```
+You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver.
+
+For more information about loopback scenarios, see [Communicating with
+localhost
+(loopback)](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
+
+## Debugging Live Drops
+
+If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands.
+
+If you can consistently reproduce the issue, then you can run the following in an admin command prompt to gather a fresh trace:
+
+```console
+Netsh wfp capture start keywords=19
+
+Netsh wfp capture stop
+```
+
+These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without “keywords=19”, the trace will only collect drop netEvents.
+
+Inside the wfpdiag.xml, search for netEvents which have
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address,
+package SID, or application ID name. The characters in the application ID name
+will be separated by periods:
+
+```XML
+(ex)
+
+
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e...
+
+
+```
+
+The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
+
+## Case 1: UWP app connects to Internet target address with all capabilities
+
+In this example, the UWP app successfully connects to bing.com
+[2620:1ec:c11::200].
+
+A packet from a UWP app needs the correct networking capability token for the resource it is trying to reach.
+
+In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token.
+
+The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address,
+remote address, capabilities, etc.
+
+**Classify Allow netEvent, Wfpdiag-Case-1.xml**
+```xml
+
+
+ 2020-05-21T17:25:59.070Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V6
+ 6
+ 2001:4898:30:3:256c:e5ba:12f3:beb1
+ 2620:1ec:c11::200
+52127
+443
+0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2993214446-1947230185-131795049-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 125918
+ 50
+ 0
+ 1
+ 1
+
+
+
+0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+0
+
+
+ -
+ 125918
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+ -
+ 121167
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+
+The following is the filter that permitted the packet to be sent to the target
+address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was
+allowed by Filter #125918, from the InternetClient Default Rule.
+
+**InternetClient Default Rule Filter #125918, Wfpdiag-Case-1.xml**
+```xml
+-
+ {3389708e-f7ae-4ebc-a61a-f659065ab24e}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ ad2b000000000000
+ .+......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ FWPM_SUBLAYER_MPSSVC_WSH
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_BYTE_ARRAY16_TYPE
+ ::
+
+
+ FWP_BYTE_ARRAY16_TYPE
+ ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 125918
+
+ FWP_UINT64
+ 103079219136
+
+
+```
+
+**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml**
+```xml
+-
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+```
+This is the condition for checking capabilities in this filter.
+
+The important part of this condition is **S-1-15-3-1**, which is the capability SID
+for **INTERNET_CLIENT** privileges.
+
+From the **netEvent** capabilities section,
+capabilities from netEvent, Wfpdiag-Case-1.xml.
+```xml
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+```
+This shows the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the
+filter. All the other conditions are also met for the filter, so the packet is
+allowed.
+
+Something to note is that the only capability token required for the packet to
+reach bing.com was the Internet client token, even though this example showed
+the packet having all capabilities.
+
+## Case 2: UWP APP cannot reach Internet target address and has no capabilities
+
+In this example, the UWP app is unable to connect to bing.com
+[2620:1ec:c11::200].
+
+The following is a drop netEvent that was captured in the trace.
+
+**Classify Drop netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+
+2020-03-30T23:53:09.720Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V6
+6
+2001:4898:1a:1045:8469:3351:e6e2:543
+2620:1ec:c11::200
+63187
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2788718703-1626973220-3690764900-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+
+0
+
+
+-
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+The first thing that you should check in the **netEvent** is the capabilities
+field. In this example, the capabilities field is empty, indicating that the
+UWP app was not configured with any capability tokens to allow it to connect to
+a network.
+
+**Internal Fields from netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+
+0000000000000000
+
+0
+
+
+-
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+```
+The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop.
+
+**Classify Drop from netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+```
+If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that
+the packet was dropped by a Block Outbound Default Rule filter.
+
+**Block Outbound Default Rule Filter #68893, Wfpdiag-Case-2.xml**
+
+```xml
+-
+ {6d51582f-bcf8-42c4-afc9-e2ce7155c11b}
+/t
+ **Block Outbound Default Rule**
+ Block Outbound Default Rule
+
+
+ {4b153735-1049-4480-aab4-d1b9bdc03710}
+
+ b001000000000000
+ ........
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ {b3cdd441-af90-41ba-a745-7c6008ff2300}
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 68893
+
+ FWP_UINT64
+ 68719476736
+
+
+```
+
+A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in
+the same sublayer.
+
+If the packet had the correct capability token,
+**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a
+non-default block filter and would have been permitted to reach bing.com.
+Without the correct capability tokens, the packet will be explicitly dropped by
+a default block outbound filter.
+
+## Case 3: UWP app cannot reach Internet target address without Internet Client capability
+
+In this example, the app is unable to connect to bing.com [2620:1ec:c11::200].
+
+The app in this scenario only has private network capabilities (Client and
+Server). The app is trying to connect to an Internet resource (bing.com), but
+only has a private network token. Therefore, the packet will be dropped.
+
+**Classify Drop netEvent, Wfpdiag-Case-3.xml**
+```xml
+
+
+2020-03-31T16:57:18.570Z
+
+- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+- FWPM_NET_EVENT_FLAG_APP_ID_SET
+- FWPM_NET_EVENT_FLAG_USER_ID_SET
+- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V6
+6
+2001:4898:1a:1045:9c65:7805:dd4a:cc4b
+2620:1ec:c11::200
+64086
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2788718703-1626973220-3690764900-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+****
+**- FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
**
+****
+0
+
+
+-
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+
+## Case 4: UWP app cannot reach Intranet target address without Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address,
+10.50.50.50, because it does not have a Private Network capability.
+
+**Classify Drop netEvent, Wfpdiag-Case-4.xml**
+```xml
+
+
+ 2020-05-22T21:29:28.601Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.50.50.50
+ 52998
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+
+ 0
+
+
+ -
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+ -
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address,
+10.1.1.1, even though it has a Private Network capability token.
+
+**Classify Drop netEvent, Wfpdiag-Case-5.xml**
+```xml
+
+
+ 2020-05-22T20:54:53.499Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.1.1.1
+ 52956
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+ -
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+ -
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+The following shows the filter that blocked the event:
+
+**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml**
+
+```xml
+-
+ {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}
+
+ Block Outbound Default Rule
+ Block Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ c029000000000000
+ .)......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 121180
+
+ FWP_UINT64
+ 274877906944
+
+
+```
+If the target was in the private range, then it should have been allowed by a
+PrivateNetwork Outbound Default Rule filter.
+
+The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address,
+10.1.1.1, is not included in these filters it becomes clear that the address is not in the private range. Check the policies that configure the private range
+on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach.
+
+**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml**
+```xml
+-
+ {fd65507b-e356-4e2f-966f-0c9f9c1c6e78}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1.1.1.1
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129656
+
+ FWP_UINT64
+ 144115600392724416
+
+
+ -
+ {b11b4f8a-222e-49d6-8d69-02728681d8bc}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 172.16.0.0
+
+
+ FWP_UINT32
+ 172.31.255.255
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129657
+
+ FWP_UINT64
+ 36029209335832512
+
+
+-
+ {21cd82bc-6077-4069-94bf-750e5a43ca23}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 192.168.0.0
+
+
+ FWP_UINT32
+ 192.168.255.255
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129658
+
+ FWP_UINT64
+ 36029209335832512
+
+
+```
+## Debugging Past Drops
+
+If you are debugging a network drop from the past or from a remote machine, you
+may have traces already collected from Feedback Hub, such as nettrace.etl and
+wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the
+netEvents of the reproduced event, and wfpstate.xml will contain the filters
+that were present on the machine at the time.
+
+If you do not have a live repro or traces already collected, you can still
+collect traces after the UWP network connectivity issue has happened by running
+these commands in an admin command prompt
+
+```xml
+
+ Netsh wfp show netevents
+ Netsh wfp show state
+```
+
+**Netsh wfp show netevents** creates netevents.xml, which contains the past
+net events. **Netsh wfp show state** creates wfpstate.xml, which contains
+the current filters present on the machine.
+
+Unfortunately, collecting traces after the UWP network connectivity issue is not
+always reliable.
+
+NetEvents on the device are stored in a buffer. Once that buffer has reached
+maximum capacity, the buffer will overwrite older net events. Due to the buffer
+overwrite, it is possible that the collected netevents.xml will not contain the
+net event associated with the UWP network connectivity issue. It could have been ov
+overwritten. Additionally, filters on the device can get deleted and re-added
+with different filterIds due to miscellaneous events on the device. Because of
+this, a **filterId** from **netsh wfp show netevents** may not necessarily match any
+filter in **netsh wfp show state** because that **filterId** may be outdated.
+
+If you can reproduce the UWP network connectivity issue consistently, we
+recommend using the commands from Debugging Live Drops instead.
+
+Additionally, you can still follow the examples from Debugging Live Drops
+section using the trace commands in this section, even if you do not have a live
+repro. The **netEvents** and filters are stored in one file in Debugging Live Drops
+as opposed to two separate files in the following Debugging Past Drops examples.
+
+## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities
+
+In this example, the UWP app is unable to connect to bing.com.
+
+Classify Drop Net Event, NetEvents-Case-7.xml
+
+```xml
+-
+
+2020-05-04T22:04:07.039Z
+
+
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+- FWPM_NET_EVENT_FLAG_APP_ID_SET
+- FWPM_NET_EVENT_FLAG_USER_ID_SET
+- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V4
+6
+10.195.36.30
+204.79.197.200
+57062
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-1578316205-4060061518-881547182-1000
+FWP_AF_INET
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+206064
+48
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+
+0
+
+
+-
+206064
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+206049
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+
+The Internal fields lists no active capabilities, and the packet is dropped at
+filter 206064.
+
+This is a default block rule filter, meaning the packet passed through every
+filter that could have allowed it, but because conditions didn’t match for any
+those filters, the packet fell to the filter which blocks any packet that the
+Security Descriptor doesn’t match.
+
+**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml**
+
+```xml
+-
+{f138d1ad-9293-478f-8519-c3368e796711}
+
+Block Outbound Default Rule
+Block Outbound Default Rule
+
+
+FWPM_PROVIDER_MPSSVC_WSH
+
+2e65000000000000
+.e......
+
+FWPM_LAYER_ALE_AUTH_CONNECT_V4
+FWPM_SUBLAYER_MPSSVC_WSH
+
+FWP_EMPTY
+
+
+
-
+FWPM_CONDITION_ALE_PACKAGE_ID
+FWP_MATCH_NOT_EQUAL
+
+FWP_SID
+S-1-0-0
+
+
+
+
+FWP_ACTION_BLOCK
+
+
+0
+
+206064
+
+FWP_UINT64
+274877906944
+
+
+```
+## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities
+
+In this example, the UWP app successfully connects to bing.com [204.79.197.200].
+
+**Classify Allow Net Event, NetEvents-Case-8.xml**
+
+```xml
+-
+
+ 2020-05-04T18:49:55.101Z
+
+
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.195.36.30
+ 204.79.197.200
+ 61673
+ 443
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-1578316205-4060061518-881547182-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 208757
+ 48
+ 0
+ 1
+ 1
+
+
+
+ 0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+ -
+ 208757
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+ -
+ 206049
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+All capabilities are enabled and the resulting filter determining the flow of the packet is 208757.
+
+The filter stated above with action permit:
+
+**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml**
+```xml
+-
+ {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ e167000000000000
+ .g......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 0.0.0.0
+
+
+ FWP_UINT32
+ 255.255.255.255
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 208757
+
+ FWP_UINT64
+ 412316868544
+
+
+```
+The capabilities field in a netEvent was added to the traces in the Windows 10
+May 2019 Update.
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 26796b6814..0449d6b01f 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -20,13 +20,12 @@ ms.author: dansimp
Designing any deployment starts by performing several important tasks:
-- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+- [Identifying your windows defender firewall with advanced security design goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+- [Mapping your implementation goals to a Windows Defender Firewall with Advanced Security design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
+After you identify your implementation goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 7cbeb23689..a7178f39fe 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,6 +1,6 @@
---
title: Verify That Network Traffic Is Authenticated (Windows 10)
-description: Verify That Network Traffic Is Authenticated
+description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index d91723c3d2..ddb0304065 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows Defender Firewall with Advanced Security (Windows 10)
-description: Windows Defender Firewall with Advanced Security Deployment Guide
+title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10)
+description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Windows Defender Firewall with Advanced Security Deployment Guide
+# Windows Defender Firewall with Advanced Security deployment overview
**Applies to**
- Windows 10
@@ -46,8 +46,8 @@ After you select your design and gather the required information about the zones
- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
-
->**Caution:** We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
+> [!CAUTION]
+> We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.
@@ -61,10 +61,4 @@ This guide does not provide:
- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
-## Overview of Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-
-The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 70c8912478..d6b2ed3cde 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
-description: Windows Defender Firewall with Advanced Security Design Guide
+title: Windows Defender Firewall with Advanced Security design guide (Windows 10)
+description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.reviewer:
ms.author: dansimp
@@ -17,8 +17,7 @@ ms.topic: conceptual
ms.date: 10/05/2017
---
-# Windows Defender Firewall with Advanced Security
-Design Guide
+# Windows Defender Firewall with Advanced Security design guide
**Applies to**
- Windows 10
@@ -40,7 +39,7 @@ Windows Defender Firewall should be part of a comprehensive security solution th
To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
-You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
+You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
@@ -68,9 +67,8 @@ Deployment Guide at these locations:
| Topic | Description
| - | - |
| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
-| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. |
-| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
-| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. |
+| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. |
+| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 3261e0545f..9718aa85cf 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Firewall with Advanced Security (Windows 10)
-description: Windows Defender Firewall with Advanced Security
+description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -25,10 +25,17 @@ ms.custom: asr
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+## Overview of Windows Defender Firewall with Advanced Security
+
+Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+
+The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+
+
+
## Feature description
-Windows Defender Firewall with Advanced Security
-is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
## Practical applications
@@ -41,12 +48,4 @@ To help address your organizational network security challenges, Windows Defende
- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
-## In this section
-| Topic | Description
-| - | - |
-| [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. |
-| [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
-| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
-| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
-| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. |
diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md
index 2b22a606de..c2522f3e4c 100644
--- a/windows/whats-new/get-started-with-1709.md
+++ b/windows/whats-new/get-started-with-1709.md
@@ -1,6 +1,6 @@
---
title: Get started with Windows 10, version 1709
-description: Learn the dos and don'ts for getting started with Windows 10, version 1709.
+description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history.
keywords: ["get started", "windows 10", "fall creators update", "1709"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index ba0090d559..309ce421df 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -1,7 +1,7 @@
---
title: What's new in Windows 10, version 1809
ms.reviewer:
-description: New and updated features in Windows 10, version 1809
+description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 8518f5c4af..8c86914b6b 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -124,6 +124,16 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
+## Networking
+
+### Wi-Fi 6 and WPA3
+
+Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
+
+### TEAP
+
+In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
+
## Virtualization
### Windows Sandbox
| | | |
